When phishing gets hyper-focused, it becomes more convincing. Learn how to spot a spear phishing attack before you “click here.”
No matter what technology is available, deception is a critical skill for any bad actor. Whether you call them con artists, scammers, threat actors, or even hackers, the ability to manipulate others with messaging alone is what yields success. We see deceptive messaging play a key role in our investigations daily:
- malicious websites harvest credentials by mimicking their legitimate counterparts,
- general “phishing” campaigns prey on the most relatable hopes and fears, and as mentioned in recent headlines,
- “spear phishing” targets specific individuals in hopes that they will falter and provide a gateway to an internal network.
No matter how technically skilled a threat actor may be, chances are that deceiving the human behind the computer is often easier than deceiving the machine itself. The logic behind a tricky salesman trying to sell snake oil is the same logic behind a modern-day threat actor trying to infiltrate a network. The more we understand the motives behind the messages we receive daily, the more responsibly, effectively, and safely we can interact with them.
When you find yourself the target of a malicious spear phishing campaign, there are some things you should look out for. In this article, I’m going to cover what spear phishing is, how spear phishing works, what makes these attacks successful, and what you can do to protect your organization from these threats.
Let’s hash it out.
What Is Spear Phishing?
Spear phishing refers to a malicious email message that targets a specific organization, role, or even person. It relies on readily available information (often from social media) like name, family relations, job, hobbies, or interests.
When carefully crafted messages refer to the true interests or facts of a person, they are more likely to be successful than generic phishing emails. This goes far beyond the Prince in Nigeria or being the 100th visitor to a certain website — these messages are fine-tuned and difficult to spot.
How Spear Phishing Works
Many threat actors are looking to exploit something easy. But there’s a smaller group of them who are more persistent at earning their “payday” through more focused and malicious means. While a general phishing campaign can be sent to thousands of inboxes in an instant, few users may actually fall for it, leaving the threat actor with a bad return on their investment.
Some examples of general phishing campaigns, such as those relating to COVID-19, offer tempting topics that prey on very relevant concerns within society. But a personalized attack is often more deceiving and, therefore, more successful.
The extra effort it takes to target individuals within an organization, department, or even team is often worthwhile to a threat actor. When a general phishing campaign could provide a small reward, a highly targeted spear phishing attempt could compromise a key stakeholder — providing more leverage to a threat actor and more potential damage to a victim organization.
According to Microsoft, these attacks often fool the most tech-savvy employees or the C-level decision-makers because they’re so targeted; the messages themselves could be indistinguishable from a legitimate request or call to action. Personalized information — even something as simple as a first name, marital status, or a topic that resonates with an intended recipient — could help convince that recipient to actually do whatever the malicious message requests.
Because of how deceptive, targeted and, unfortunately, successful spear phishing campaigns are, they will continue to pose a risk. However, building awareness about this form of cyber attack can weaken its effectiveness. In order to better understand this deception, we’re going to break it down:
- how information is gathered,
- how victims are chosen, and
- what to look out for if faced with a spear phishing message.
Sharing Too Much Information
Spear phishing relies on social engineering, or “any act that influences a person to take any action that may or may not be in their best interest” as defined by an expert in the field, Christopher Hadnagy. In order to successfully influence someone to take any action, relevant information is required. While sensitive information is more valuable to threat actors, they can still do quite a bit of damage with readily available information via the internet or social media platforms.
When describing the process of information gathering in a recent Darknet Diaries podcast, Hadnagy notes how social media provides enough information to be used against someone. Although personalized fields like “name,” “hometown,” or even “relationship status” aren’t considered to be classified information, they can easily become a perfect vehicle for a spear phishing message. Social networks like LinkedIn, which are intended for professional use, are especially targeted by threat actors. Features that can show employee names, roles, and even locations at-a-glance can provide spear phishers with enough information to at least start pinpointing a potential victim.
Information on social media can connect the right people to the right organizations, but keep in mind this same information is often misused by threat actors. Seemingly innocent insights on what’s going on within a business, department, or team often serve as the perfect vehicle for crafting an effective spear phishing message.
Methods of Contact
It bears repeating: Deception can take many forms, no matter what technology is available. In the case of spear phishing, we often see these malicious messages via email, but also via phone calls. This is a type of voice phishing, or what is known as vishing.
Email is arguably a more prominent vehicle for this type of attack as it is inexpensive, convenient, and often a preferred method of communication for an intended recipient. Whereas general phishing emails might have glaring warning signs like misspelled phrases, suspicious “from” addresses, or other obvious errors, spear phishing email messages require threat actors to do their homework and take more time crafting convincing messages.
If a threat actor has ample time to complete their research when targeting a victim, they may opt for a phone call to deploy their message as well. In an example from Christopher Hadnagy, while working as a penetration tester for an organization, he successfully convinced an employee to:
- visit a website,
- download malware,
- and offer information — all by simply portraying a trusted IT source over the phone.
In a more recent example, and to demonstrate how successful this method still is for some threat actors, Twitter recently disclosed how their internal tools were briefly compromised after a phone spear phishing attack.
How to Spot a Spear Phishing Attack
While spear phishing attacks often target high-level decision-makers within an organization, bringing this kind of awareness to an entire firm is helpful. Some other targeted roles, in particular, include:
- recruiters (as they often receive resumes and other important documents via email),
- IT professionals (as they hold important credentials to sensitive, internal tools), and even
- recent hires (as they may fall victim to campaigns that are well-known by more experienced colleagues).
Spear phishing can be tailored to any role or even any one individual, so we highly recommend phishing and cyber awareness training for everyone within your organization regardless of job title.
Some concepts to be aware of in thwarting a potential spear phishing attack are as follows:
- Keep an eye out for any technical red flags. Is this message coming from a legitimate email address/phone number?
- If the message is written to create a sense of urgency, this should alert an end-user. If the call to action must be taken within a short timeframe, further authentication should be considered.
- Is the message’s tone in alignment with the organization’s regular culture? Keep an eye out for any inconsistencies in the nature of requests/methods of communication.
- Encourage employees to report any suspicious messages as early as possible.
What the Attacker Does Next and How to Stop It
After the threat actor gains someone’s trust and gets them to open an email and click a link, the threat actor may either try to steal the victim’s credentials (username, passwords) to gain further access, or the threat actor may try to get a user to download a payload to gain a remote foothold into a network.
To prevent an attacker from stealing credentials and gaining access to your data, your best tool is multifactor authentication (MFA). MFA is the combination of using a strong password with a second form of authentication (like an SMS code, push notification, or physical token like a U2F key) to log in. You should ensure that all your cloud-based accounts (email, banking, etc.) have multi-factor authentication enabled. Any remote access into your network through a virtual private network (VPN) should also have multi-factor authentication enabled.
(Editor’s note: You can also use certificate-based authentication methods, such as using a client authentication certificate in conjunction with a trusted platform module.)
To prevent an attacker from using a foothold in your network to move further and compromise your data, you may need to look at network configurations that include “zero trust” architectures or micro-segmentation. This makes it so that workstations and services can only talk to the networks and devices that are necessary for business, and nothing more. Implementing these access controls will restrict the potential reach (and impact) of a threat actor trying to compromise a network.
With a better understanding of how targeted deception looks in an inbox, employees across entire organizations are better equipped with the tools to stop spear phishing. No matter what technology is available, staying alert to the deception behind social engineering and the process of gathering targeted information will significantly decrease the chances of falling victim in the future.