Spear phishing: How it works and how to avoid it

Unlike spam or phishing emails, which involve a broad and varied range of targets, spear phishing is a highly-targeted email attack against a specific group, organisation, or even person. The main aim of a spear phishing attack is either to obtain unauthorised access to sensitive data, whether this is intellectual property, financial data, trade or military intelligence, or to get the recipient of the email to act on a command, whether this is to transfer money or share confidential data.

What does a typical spear phishing email look like?

Spear phishing emails are extremely deceptive as they typically attempt to represent an identity that is known and trusted, and look very similar to a legitimate email someone would expect to receive during the course of a work day. A common spear phishing example is when an email seemingly from a CEO/CFO is sent to member of senior staff asking for a specific sum of money to be transferred into an unfamiliar account. Spear phishing emails may contain a link, directing the victim to a malicious page, or an attachment with embedded malware. However, a common and growing style of spear phishing attack does not contain such a malicious 'payload', but simply contains socially engineered content, either asking for an action to be carried out, or asking for passwords, financial details, or other protected information.

What precautions need to be taken to avoid being the victim of a spear phishing attack?

Today’s businesses have to exercise a degree of caution by using tools to alert organisations to suspicious emails, regularly training employees and having robust processes in place. In addition, companies should leverage a cybersecurity solution that enables them to detect spoofed emails before the messages are delivered to employees. With the right approach, enterprises can prevent their businesses from being victims of carefully engineered and targeted attacks.

What social engineering tactics are cybercriminals deploying when constructing phishing emails?

Spear phishers are much more sinister than spammers – for example, they will likely know enough about a target to personalise the email greeting to include a first name instead of a generic 'Dear Sir'. Cybercriminals may also know details such as where someone works, who their manager is, and – if the target regularly posts work-related messages on social media – if they’re off-site at a conference. By referencing these details in an email, cybercriminals are able to create a message that seems legitimate, making the victim more likely to respond with the requested information.

Spear phishing messages also claim to be sent from an identity - an individual or a brand - that is known and trusted by the recipient. Spear phishers use this identity in the 'From' header of the message, the content of which is prominently displayed in most email applications. When possible, criminals spoof the actual email address of the identity they are trying to represent. Alternatively, they use a 'lookalike' email address, attempting to trick the recipient into believing the message came from the trusted individual.

What are cybercriminals doing in the lead up to a phishing scam and what do they expect the outcome to be?

Sophisticated cybercriminals are increasingly investing time in getting to know their victims – their names, email addresses, locations, and even the business processes within their organisations. Spear phishers also research the identity that they use for spoofing, often leveraging social media feeds and public company information to understand their schedule, their relationship to the victim, and sometimes even their writing style.

Cybercriminals are also using legitimate cloud services and public cloud infrastructure to send out their attacks. With the ready availability of such services and the low volume of messages required for such targeted attacks, criminals are able to send spear phishing messages at a low cost. By using servers or services that are often shared with real companies, criminals are able to exploit the positive reputation of the cloud providers.

With the type of personal information described above which is increasingly readily available online, and the prevalence of inexpensive cloud infrastructure, savvy cybercriminals are equipped with the resources to create carefully engineered emails that evade existing security solutions and successfully trick users into handing over confidential information or making fraudulent payments.

Why does combating targeted email attacks, data breaches, and financial loss need to be a 2016 priority for enterprises?

If a business wants to keep its name out of the next headline, it’s imperative it addresses the primary vector criminals are using to attack: email. Measures like training employees to detect bad emails and financial controls to stop unauthorised wire transfers make good sense, but they don’t address the root of the problem. The core issue is that businesses need to put into place measures to ensure that only trusted emails enter the mailbox of their employees, rather than expecting them to analyse the trustworthiness of every email on their own.

How can we restore trust to the email ecosystem?

When it comes to protecting employees from spear phishing, a ‘one size fits all’ approach to email security doesn’t work. Attacks are becoming more frequent, more complex, and more intelligent. There is no single solution available that can solve the breadth of this email security problem. What’s needed is a mix of multiple controls - a cocktail of complementary solutions that provides a multi-layered approach to cybersecurity where prevention, early detection, attack containment, and recovery measures are considered together. At the core of this should be a solution that focuses on establishing the authenticity and trust of each message sent to your employees.

Vidur Apparao, Chief Technology Officer at Agari

Image Credit: wk1003mike / Shutterstock