Skip to main content

How attackers are using targeted spear-phishing to evade cybersecurity defenses

(Image credit: Shutterstock)

Do you have a spear-phishing problem? More importantly, would you even know if you did? And how would you deal with an incident? I ask these questions because the number of spear-phishing attacks continues to rise and the tactics used by attackers are evolving to become ever more targeted and to evade even the best of defenses. 

Within the context on the pandemic, we have increasingly identified scammers using the fear and concern associated with Covid-19 to drive phishing campaigns and, perhaps most prominently now, hackers have attached themselves with increasing vigour to the vaccination program. These spear-phishing attacks can be highly personalized and highly sophisticated, and are now designed to navigate basic cyber defense measures and utilize visual indicators of security, such as reCAPTCHA codes in phishing sites, official branding and legitimate email services, all for the purpose of convincing victims to enter their personal information.

All it takes is for one compromised password and email address before an entire organization’s data is at risk. This issue is regularly exacerbated by poor password practice from employees, as it allows attackers to hop from one account to another, infiltrating a number of accounts and countless quantities of sensitive data. Remote working has also increased the potential attack surface for cybercriminals, many of whom will be looking to capitalize on mistakes made by employees who are untrained in basic security measures or unfamiliar with 100 percent digital communication and working environments.

Yet I still see an alarming level of naivety and complacency about the threat that spear-phishing poses to organizations. Many people still think of the threat as just the stereotypical scam phishing emails that are picked up by email security gateway filtering.

Targeted attacks on the rise 

The reality is very different. Recent Barracuda research looked at more than 2.3 million spear-phishing attacks targeting 80,000 organizations worldwide over three months last year. It shows that targeted spear-phishing attacks are growing in volume and complexity, as is the impact they have on businesses. In particular, there is an increase in more targeted and subtle tactics such as brand impersonation, conversation hijacking and business email compromise (BEC).

BEC, where hackers impersonate an employee, vendor or other trusted individual, is one of the fastest-growing spear-phishing tactics. These are up from 7 percent of all spear-phishing attacks to 12 percent at the end of 2020. Usually, the goal of these type of attacks is to establish trust and get a response from the victim rather than just getting them to click on a malicious URL – as seen by the fact only 30 percent of BEC attacks include a URL.

Once inside, the hacker can use a compromised email account to legitimately communicate around that organization and convince people to take action on items, such as transferring money to an illegal bank account.

Inside a spear-phishing incident 

Take the example of a company I went to see that was convinced it absolutely did not have a spear-phishing problem. No way, not at all, not us. Using our email threat scanner we found some alarming results that showed the true scale of the company’s problem. 

A company email account had been compromised by a spear-phishing attack several months earlier. The attacker then sat within that email account and interacted undetected with suppliers to have invoices paid to different bank accounts. The attacker had managed to get into over 15 different email accounts within the company through a lateral movement – where an attacker uses a compromised email account to target other users internally within an organization. These attacks are especially difficult to detect because they come from internal, legitimate email accounts and appear to be from a trusted colleague.

It’s an example of how spear-phishing can have a big impact on the business and this is by no means an isolated incident. 

How to respond and tackle the threat 

The all-important question is how best to defend against this increased spear-phishing threat and how to respond to incidents that will inevitably evade defenses and creep in under the radar. The fundamentals are good inbox defense and incident response but there are three other critical elements:

1. Zero trust network access control

The purpose of a zero trust environment is to limit the scope of what or who can access your environment. Having zero trust access control means that even if an email account is compromised by a spear-phishing attack, a hacker can’t use that account as a springboard to other accounts and parts of the organization. This means not just access control to your internal network but also to your cloud applications, such as Microsoft Office 365, which is essentially wide open to the world unless you tie it down with proper controls. 

2. Multiple layers of email security

Defense in depth is a commonly used term but it is one of the most effective ways to tackle these threats. For email this includes the all-important email security gateway as well as newer tools such as inbox defense and spear-phishing protection. A lot of organizations still don’t have those additional layers or are under the misconception that their email security gateway does it all (it doesn’t, by the way). 

3. Education

Your staff are a key part of your security defenses so make sure they are aware of spear-phishing risks and that they have them front of mind every day. Train staff to recognize and report attacks and to understand the impact they can have on the organization. Don’t treat security awareness training as a once a year box tick. You need to be continuously educating and putting them through simulated attack exercises, as well as general awareness through posters on walls and banners on corporate intranets. Training should also be compulsory and customized to each employee to encourage participation and active engagement with each session, across an organization there will be vastly different security skill levels and weak spots, and analyzing, reporting and solving security inconsistencies amongst employees will be key in protecting your business, its employees and clients amidst the new and constantly changing cyber threat scape.

Steven Peake, Pre-Sales Manager, UK&I, Barracuda Networks

Steven Peake is Pre-Sales Manager, UK&I for Barracuda Networks, the trusted partner and leading provider for cloud-enabled security solutions.