Everywhere you turn, you are probably hearing about phishing attacks.
According to research by KnowBe4, 70% to 90% of breaches today involve phishing.
But do you know a phishing method that is highly effective?
Let’s discuss the difference between phishing and spear phishing and how you can protect your business from each.
Before we get too deep into this conversation, let’s define:
What’s the difference between phishing and spear phishing?
Phishing is a more generic attack that uses emails or messaging that is sent to large groups. Spear phishing, on the other hand, is highly targeted and will target a single individual or small group of team members within a company. They are more sophisticated and seek a particular outcome.
Whatever kind of phishing attack you discuss, the attacker’s goal is the same.
They want the target to click a link, download a file, enter credentials, provide information, or take some other detrimental action.
Criminals have come up with a myriad of schemes to accomplish this.
Phishing is actually the more general term that refers to any kind of malicious email or messaging that tries to get an individual to take detrimental actions.
As previously mentioned, phishing attacks are usually sent out to many more people than a spear phishing attack.
The attacker simply sends the phishing email to a list of addresses they have obtained and hope that someone falls for it.
Valimail estimates that, 3.4 billion phishing emails are sent a day.
And another study found that spear phishing emails have increased around 50% over the past year.
Phishing is not a new threat.
In fact, the first known use of the term phishing was 1996.
This was back in the days of AOL (America Online).
Since these early days, attackers have morphed and added quite a few techniques to their “tool bag.”
Most people have become aware of the risk of traditional phishing attacks.
Fortunately, more people recognize them and avoid them.
So, when an attacker is targeting a specific company, they usually use spear-phishing and go after a select group of individuals.
It helps them not be caught.
These spear phishing emails are well-planned to look legitimate.
They may ask the victim to open a file or log into a portal somewhere.
Over the last few years, we have seen more sophisticated attackers using spear phishing with great success.
By now, you should understand the basic premise of phishing.
So, let’s look at some of the unique characteristics of spear phishing attacks.
Common characteristics of spear phishing attack messages
Before we dive into the characteristics of spear phishing emails, I should say that not all of these characteristics are unique.
Several of them can be found in other phishing methods as well.
People typically respond out of logic or emotion.
Phishing emails usually try to trigger an emotional response rather than a logical one.
People can make bad choices when responding out of emotion.
This is something to look for in spear phishing emails.
They usually cause some kind of subtle emotion.
Common emotions are fear, excitement, authority, sympathy, and ego stroking.
Come from a trusted “sender”
Most of the time, spear phishing emails appear to come from someone you actually know or have had interacted with at some point.
This information can usually be gathered using OSINT (Open Source Intelligence) on your social media accounts, websites, etc.
Spear phishing attacks may even ask you to do something that you do on a regular basis, but there are typically tiny clues that will give them away.
Links and attachments
The other big indicator of spear phishing is the email has links in it or an attachment.
Occasionally, the email will just ask the recipient to perform an action like wire money or change account payment information.
Most of the time though, the attacker will include a malicious attachment or link.
They use this to gain initial access to your network and pivot further.
Quick Spear Phishing Case Study
We have seen shocking success when we use spear phishing tactics during penetration tests.
In fact, our average click rate is 50%.
That means almost half of the time, the email recipient clicks the link to take the intended action.
What’s worse is that we have gotten employee credentials on every social engineering engagement that we have done.
Here’s a quick spear phishing case study that will shed some light on how these attacks work:
We did a lot of reconnaissance on the target organization and found an announcement they had made about a recent endorsement by a reputable organization in the industry.
We knew we could make use of this.
During our recon, we also found the organization used a separate email portal for sending secure emails.
2) Attack Setup
Armed with the info we gathered during reconnaissance, we began setting up for our spear phishing campaign.
We bought a domain very similar to the one owned by the organization and set up email for it.
We even set up SPF and DMARC to help get past security filters.
Next, we created a clone of the sign in portal for their secure email.
3) The Attack
Once all of the pieces were in place, we sent an email to 3 key people with a ploy -
The Wall Street Journal wanted to run a column about the announcement and the CEO needed them to fill out a few questions.
Due to the nature of the article, it was confidential.
Two of the three “logged in” to our fake portal and gave us their credentials.
We then vished them to get their 2FA codes and into their accounts.
You can check out a detailed version of this story here.
Hopefully, you now understand how attackers could target your organization via spear phishing.
How to Protect From Spear Phishing (or Phishing)
What can you do to protect yourself from spear phishing?
The best way to protect yourself and your organization from spear phishing attacks is to train your employees to identify and report them. Attackers will constantly morph their attack methods, but if your employees are trained well, they will stop the majority of spear phishing emails.
I won’t leave you there.
Let’s look at a few other steps to mitigate the threat of spear phishing even more.
Security awareness training
Like I mentioned, training your employees is absolutely on of the first steps you should take to mitigate the risk of any kind of phishing attacks.
If your employees are aware of the threat, they are more likely to make secure decisions.
I always recommend that your security awareness training happen at least once a month.
You want to keep it at the forefront of their minds.
Including simulated phishing is even better.
One of the best ways to ensure that your employees don't fall victim to phishing or spear phishing attacks is to train them of the risk.
We have partnered with Wizer to provide completely free cybersecurity awareness training solutions. All of the videos are less than two minutes long and will teach your employees on the risks to avoid.
Another great way to help prevent phishing attacks is using email authentication protocols - SPF, DKIM, and DMARC.
For a thorough explanation of how these controls work, check out this post.
Basically, SPF and DKIM tell email servers who can send mail on your company’s behalf and ensure that your emails were actually sent by someone at your organization.
DMARC tells the recipient what to do with fake emails.
Out of band verification
This is probably the most effective way to prevent falling to phishing attacks.
When you get an email with an attachment or link that looks funny or asking you to take an action that’s not quite the normal, use an alternate verification method.
If the request is via email, pick up the phone and call the individual to verify they sent it.
If the request is via phone, email the person or tell the individual on the line you will call them back.
Call the number you know for the actual person.
In many ways, spear phishing and phishing are very similar.
The key difference is that spear phishing is highly targeted and sent to a much smaller group.
Taking the precautions outlined above will dramatically improve your company’s resilience.