What You Need to Know About Spear Phishing

You may have heard of phishing: the method cybercriminals use to scam their targets by impersonating someone that their targets would trust, requesting access credentials or other sensitive information. Did you know that there are specific types of phishing? Let's review spear phishing, one of the biggest risks to your business.

What’s the Difference Between Phishing and Spear Phishing?

In a word, personalization. Your usual phishing campaign casts a wide net to try and catch as many victims as possible. By writing a very vague and generic email that appears to be from some large company or organization, the typical phishing attack can be leveraged against almost anyone with a reasonable chance of success, although this also makes them easier to spot if one knows what to look for.

Spear phishing, however, goes for quality over quantity. Instead of casting out a wide net to catch a large group, spear phishing requires a more focused approach; it targets a single, influential individual.

In order to do this effectively, a cybercriminal can’t just rely on a generic message. The hacker will do some digging, finding out everything they can about their target: where they work, who they work with, and what it is that they do. Once they’ve gathered the information they need, the hacker will spoof an email, often referencing some project or mutual contact to prove their “legitimacy”, including a link to a downloadable file.

This link will take the recipient to what looks to be a login page for Google Drive or Dropbox, but is actually another part of the hacker’s deceit. Once the user enters their credentials, the scammer has them to use for themselves, completely undermining the user’s security and potentially causing a business crisis.

How Do Spear Phishers Trick People?

There are a number of ways that hackers can make their messages more realistic, especially when they’re leveraging a spear phishing strategy. These methods combine some practical skills with a bit of psychology, supported by the research that these hackers do.

As a result, instead of the phishing message being vague and sketchy, it might reference actual people, events, and things relevant to the target. They will often be spoofed to appear to come from an authority figure, like a manager or the CEO, to encourage the recipient to do what the email says without really thinking about it or questioning it too much. Unlike many other phishing messages, spear phishing messages are usually well written, without spelling or grammar errors.

These cybercriminals can be especially devious; they will even purchase close-match domains to make their attacks that much more persuasive.

Say that you owned the domain example-dot-com. Someone trying to phish someone else by posing as you could buy their own domain, example-dot-com. Looks the same, but by using a capital “i” instead of a lowercase “l”, the phisher can create a lookalike site that appears to be legitimate.

Who Do Spear Phishers Target?

This is one of the biggest reasons that spear phishing requires so much research: not only does the hacker have to identify who they are going to target, they also have to identify the best way to fool them. As a general rule, though, spear-phishing attackers will go after those people in a business who have access to the information that the phisher wants, but not enough clout to question a request from what appears to be up the chain of command. In other words, a business’ end users.

So, what can you do to stop spear phishing from impacting your business? There are a few ways:

• Check to ensure everything about an email is legitimate. Is the sender actually , or is it ? Are there any files included with the email? They could be a means of installing some type of malware, so avoid clicking on them.
• Take any urgency in the message with a grain of salt. Many hackers will make their messages sound more urgent in the attempt to frighten their targets into action. You should also keep an eye out for any changes in standard operating procedures as well; like if your organization typically utilizes Google Drive to share files, but you’re being asked to download a file from Dropbox instead.
• Make every effort to confirm any messages you find suspect through another means. The few moments it takes to pick up the phone and ask the person who appears to have sent an email will be well worth it if it helps you circumvent a spear phishing attack.

Threats like spear phishing are just the start of a business’ security concerns. For more assistance with your business’ IT and its security, subscribe to our blog, and give Macro Systems a call at 703-359-9211.