Phishing attacks have been a favorite tool of cybercriminals for years. It’s an attempt to gain unauthorized access to account credentials or financial information by imitating a trustworthy entity. While there are many types of phishing attacks, the more successful form is spear phishing. It focuses on stealing information from targeted victims. In fact, spear phishing accounts for 91% of cyberattacks.
Last year, in 2018, Airbnb customers were targeted by a spear phishing attack where cyber attackers used social engineering methods to pick victims. They then sent out a fake email stating the implications of the General Data Protection Regulation (GDPR). The fake email prompted its recipients not to accept further bookings until they comply with GDPR (sent by attacks via Airbnb). The attached link took the customers to a spoof site, which then collected the personal details of the victims.
While these attacks may not make the front page, it is important to keep in mind that 71.4% of targeted attacks involved the use of spear-phishing emails (Symantec Internet Security Threat Report 2018).
Phishing vs. Spear Phishing
Since both phishing and spear phishing attacks aimed at acquiring access to confidential or private data, they are often confused for the other. While phishing is a broader term used for cyberattack attempts where the attacker disguises themselves as a genuine entity to trick victims into performing a specified action, it is primarily their targeting pattern that differs them from the other.
|Phishing emails target a large group of people. Generally, its targets are randomly picked with the expectation that a small percentage of them might fall victim.
How does it work?
An email from a seemingly trusted source will land in your inbox. It could also be a call, SMS, or message on your social media account. These emails usually contain a malicious URL that redirects you to a fake website or downloads malware.
|Spear phishing emails are a targeted approach, where the attacker targets either a single recipient or a bulk of recipients based on the same characteristics.
How does it work?
Under this attack, a targeted employee of an organization receives a fake mail from an authentic-seeming source. The email will seem extremely authentic, right down to the sentence formation, and will address the target’s interest.
How does spear phishing work?
Spear phishing attackers plan their attacks by first identifying their target. There are a few elements common to spear phishing attacks –
- Source looks like a legit one – Scammers send emails to these targets in such a way that it seems to be from a legitimate source. These sources closely resemble a genuine email id.
- Personalized messages – As attackers are familiar with the habits of their targets, they draft mails with personalized messages.
For instance, if you have shared upcoming plans, such as a visit to Florida, then you might receive a mail from a friend suggesting a place to visit with a link to a website.
- Enticing call-to-action – The mails make sure that you click on the link as they offer what you might be looking for.
For instance, you could receive an email from what you believe to be your HR department. This email may state that you are now privy to new benefits, inviting you to click on a malicious link to “view the benefits.”
- Redirection – The URL included in the mail, when clicked, takes you to a spoof website or downloads malware. If you are redirected to a fake website, then it might also prompt you to enter your login credentials or record your online activities.
For instance, the messages will claim that your system is facing a low-performance issue, or some virus is trying to get to you. To get rid of the issue, you will be asked to log in to your account, resulting in compromised login credentials.
Once the perpetrator gets what they were looking for, they can misuse the information to initiate a banking transaction or impersonate you to perform other malicious acts.
Dedicated practices to avoid spear phishing
Spear phishing can lead to the compromise of sensitive data. If the required security measures are not put in place properly, the targeted attack may lead to a destructive security breach. In the past few years, the world has noticed this with several incidents, including Home Depot and Target. These organizations lost not only its customer data but also millions of dollars in settlement.
- Filter your inbox – Configure your email application so that it blocks spam-emails efficiently. It must separate emails generated from trusted sources from those outside the system.
- Encryption – If an email is sent after cryptographically signing it, then only the person with the private key can access the content of the mail. It makes it difficult for an imposter to pass off as a legit source.
- Anti-spam software and devices – It has been noticed that spear phishing messages target systems that are already compromised. In this scenario, anti-spam software and devices can identify a compromised mail server.
- Update all software – Updating installed applications and software is a crucial step. If not done regularly, cybercriminals can misuse this lag, to exploit the known-unknown vulnerabilities.
- Keep an eye on your online activities – Have you been sharing your personal information on social media accounts? If yes, then a potential scammer can use the same details to frame a personalized message, which might lead you to a spear phishing attack.
- Use smart passwords – If you are someone who uses the same password or variations of it on different platforms, then change your password to a random phrase or combination of numbers, letters, and special symbols.
- Implement a data protection program – Every mid to large size corporation should have a data protection program. Install a data loss prevention software so that it can efficiently protect sensitive data.
- Awareness – Make sure that your employees are well-aware of spear phishing attacks. They should know how to detect such attacks. Train them on good email practices –
- Not to reveal personal information on emails unless sent from a trusted source (after cross-verifying the source from a legit database)
- Never click on links sent through emails, especially the ones asking for your financial or banking details
- Always report suspicious emails
As emails are the most common entry points of targeted attacks, it is vital to protect organizations from anticipated attacks. Certified Ethical Hacker (C|EH) has a module which deals with different social engineering attacks, including spear phishing. The program comprehensively covers 340 attack technologies with the required security measures. It focuses on gaining practically-applicable skills with our state-of-the-art iLabs – a virtual lab that mimics the real-world challenges. It is a hands-on program built in compliance with the NICE 2.0 framework.