The latest trends in spear phishing attacks are extremely worrying. Let’s start with a definition of spear phishing. According to Kapersky, spear phishing (also called targeted phishing) is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data. Mass phishing is being abandoned because spear phishing is more profitable. Fireeye compared the cost of mass emails and spear phishing. They found that although spear phishing costs 20 times more per victim, the average return is 40 times greater. This is why such attacks are intensifying.
Roughly 65% of cyber attackers have leveraged spear phishing emails as a primary attack vector in 2022. (Cybertalk 2022)
Cybercriminals increasingly refine the attack, making it more and more difficult to detect. Over 90% of security attacks use spear phishing at some point. Even though expenditures on spear phishing prevention have skyrocketed in the past year, a study by CSO magazine, reported in January 2016, estimates that 28 percent of attacks are successful. Spear phishing is based more on social engineering than on clever technology, so protection requires more than a technological solution.
To make a spear phishing attack credible, the attacker must do his homework. He finds out as much as possible about the victim and the company. Social media sites contain a treasure trove of information. The attacker may have your email address. He could find it online, buy it from a shady source, break into your network to get it, or coax a colleague to provide it.
The attacker carefully crafts the email to appear to come from a source the recipient already deals with, such as a delivery company, online store, entertainment provider, or financial institution. Often the email presents an amazing likeness of a company logo. Here’s a recent blog post that describes such real world spear phishing attacks that cost the company in question dearly.
There is no one approach, form, or purpose to these emails; that is why spotting a bogus email is often difficult.
Stealing money
What do spear phishers want? Money, information, and destruction.Spear phishers regularly target customers of credit card companies, banks, credit unions, and insurance companies, as well as online businesses such as Paypal and Amazon. Instead of using an email attachment, many emails either attach an HTML document or include HTML data. For example, you receive an email from a “financial institution” requesting you to click on a link to change your password. You are redirected without your knowledge to a site that collects your old password. The attacker logs into your account and steals your money.
Companies are also victims. According to a recent report by IBM, here is the cost of data breaches in 2022, due to phishing and social-engineering attacks:
Phishing - $4.91 million (compared to $4.65 million in 2021).
Social engineering criminal attacks - $4.10 million (compared to $4.47 million in 2021).
Let’s look at an example of a recent campaign reported by the FBI. An email or phone call is received from fraudsters who identify themselves as lawyers handling confidential or time-sensitive matters. The recipient is pressured to act quickly or secretly in handling the transfer of funds. The scam occurs at the end of the business day or work week or be timed to coincide with the close of business of international financial institutions.
Piggybacking of events of interest
During tax season there is a bump in spear phishing by “tax authorities” requesting financial information or providing tax “receipts” that are malware in disguise. In the US, there is presently such a campaign targeting security professionals and IT management in technical companies. The email comes from an address such as assupport@gov.com or support@link2.gov. The attachment contains a malicious VBA script that automatically executes if opened. Attackers are keen to take advantage of what is happening in the world to further their agenda. Even terrorist attacks have been used by spear phishers as an opportunity to piggyback on mass interest.
Stealing data
Data breaches often start with a spear phishing attack. In August 2015, the disastrous data breach at Carphone Warehouse began with spear phishing emails. Spear phishing attacks are difficult to detect and protect against. Since the attacks rely on social engineering to succeed, user training to spot malicious emails is critical.
Protecting against spear phishing
Attackers constantly change tactics, so it is important to use multiple defenses:
- A layered approach to security
- Secure email gateways
- Multiple anti-virus engines
- Powerful spam filters
- Advanced malware protection
- Device monitoring and management
A crack in the defenses
The protection discussed above is, of course, installed in the corporate environment. Let’s say an employee is using BYOD. What happens when he opens a malicious email when outside the corporate network? Or clicks on a malicious link through a personal email account like Gmail? Employees need to know that these actions can lead to compromise of the company’s entire network.
Experts predict that spear phishing will continue its stupendous growth, and that varieties will proliferate, requiring increasingly more technology to fend off the onslaught. The attacks will also involve even more clever social engineering tactics. So the best overall defense consists of vigilant users who think twice before revealing information or clicking on email links or attachments.
Why not download our report on "How Cybercriminals Steal Money!". It explains what the cybercriminals are doing and what you can do to protect against these attacks.