How Does Spear Phishing Work?

The effectiveness of a spear phishing attempt depends on the selected target and how relevant the information that “baits the hook” is to that individual. Executives are often targeted because they are privileged users within the organization and offer more routes into the network. Typically an email will arrive from what looks like a trustworthy sender or company, with a link that leads the victim to a fake website where malware can be installed. Spear phishers start by doing significant social engineering work. They perform extensive research on the target beforehand to collect detailed personal information (contact names, company partners or previously visited websites). The more detailed the personal information is, the greater the likelihood that a spear phishing victim will fall for the trap and click through.

As with standard phishing, spoofed texts or targeted emails, and the URLs contained in them are often disguised using foreign character sets.

What Types of People are Targeted?

All kinds of people are vulnerable to spear phishing. But since attackers invest more time on personal research than they would on a standard phishing ploy, they are looking for targets that may be privileged users with greater access to the network. Senior-level employees are more likely to have that kind of access, but that doesn’t mean every spear phishing target must be at that level. If the intent is simply to install malware or monitoring software on the network, even less-privileged users may be useful and open to attack.

The first research study on a kind of spear phishing attack that takes place on social media called social phishing found that it was more than 70 percent successful.

Whaling refers to a spear phishing attack that aims at high-profile targets, perhaps at the C-suite level. These emails are designed to specifically refer to the target’s role in the company. It may refer to fake events that a C-level executive is used to being alerted to, like a partner company complaint or a lawsuit. 

The July 2020 Twitter attack was an iconic example of phone spear phishing. Hackers targeted 130 CEOs, celebrities, and politicians, and took over 45 of those accounts. Then they used those accounts to send tweets promoting a bitcoin scam. Their way into those accounts? The attackers called Twitter employees and, using false identities, tricked them into giving them credentials that allowed a reset of passwords using two-factor authentication. 

In 2016, Threat Group-4127 (Fancy Bear) hacked high-level officials in Hillary Clinton’s 2016 presidential campaign using spear phishing tactics to threaten victim

How Can We Be Protected From Spear Phishing?

There are two main ways to mount a spear phishing defense: employee education and authentication technology. 

Since a single employee mistake can have serious enterprise-wide consequences, it’s important that employees get required and comprehensive training. Training regimens raise employees’ awareness and educate them on how to detect and report bogus emails that they might see in their inboxes. A strict reporting protocol that everyone follows will help security experts in the company track and develop defenses against spear phishing. Education and training can also direct employees on specific email security requirements like confirming any unusual activity over the phone first. 

There are many other technologies that can defend against spear phishing. To prevent spear phishing emails from reaching the inboxes of users, organizations can deploy technologies that include:

• Anti-malware and anti-spam software that halt spear phishing emails at an email gateway.
• Email scanning technology that evaluates every link and attachment within every email and prevents users from accessing malicious URLs or attached files. 
• AI software that identifies typical spear phishing language characteristics like header anomalies, domain similarity, sender spoofing, recently established domains and other social engineering-based methods used to impersonate as sender.
• DNS authentication services that identify and stop suspicious messages using DMARC, SPF and DKIM protocols.
• Physical FIDO-compliant, MFA keys like YubiKey can authenticate whether someone sending an email is actually the person the account claims to be. 

Strong authentication methods

The enterprise can minimize risks with strong authentication.

Multi-factor authentication (MFA) establishes trust with users and must balance ease-of-use with strength of authentication. Strong authentication differs from 2FA or other forms because it does not rely on shared secrets/symmetric keys at any point, for example, users names and passwords, codes, and recovery questions. MFA acknowledges that employee education and caution will not filter out every spear phishing attack. Robust measures to bar credential sharing or impersonation must also be put in place. The challenge for MFA solutions is that real-world considerations of usability and scalability must also have a place in ultimate design.

Spear Phishing and Identity Access Management (IAM) solutions

An IAM solution, which clearly defines and manages roles and access privileges for the entire network, must work hand-in-hand with strong authentication to limit effectiveness of targeted attacks.

Types of Spear Phishing Attacks / Spear Phishing Examples

Brand impersonation accounts for 81% of all spear phishing attacks. That means that the attacker may pose as an employee or representative from another company that the receiver is familiar with. Here are a few common examples of what you might see in a spear phishing attack. But take this under caution: there is no standard for the attack. The content and strategy will change depending on the personal details of the target. 

Example 1: 

An attacker compromises a business email account and poses as a senior employee in human resources with the power to request direct deposit changes, wire transfers or W2 information. Social engineering research and data breaches reveal the names of the impersonated employee’s direct reports, managers, and other convincing facts. Then those names are used to make an email request for a transfer sound even more convincing. Some targets end up making the transfer and never seeing that money again.

Example 2: 

A spear phisher does deep-dive research on the executive assistant for a prominent CEO. That includes collecting LinkedIn information about that person. A fake personal email address is created in the CEO’s name and made to look official. The spear phisher waits for the CEO to take a trip out of town (she found that out by following the CEO’s Twitter feed), then pounces when the time is right. A spoof email is sent to the assistant saying, “Help! I am on my trip, but this project is in jeopardy right now. We’re going to miss a deadline on paying a vendor, so I’ll need a quick wire transfer of $40,000. Here is the number, and I’ll send you the invoice and wiring instructions. Please take care of it right away.” Fooled because the email is written in a writing style that seems familiar, the assistant executes the wire transfer to a fraudulent account.

Example 3: 

A spear phisher sends a top-level executive a targeted email to their personal account that contains a piece of credible personal information from a source the person has recently interacted with. The email might be from an online store about a recent purchase, or from her bank citing a security breach and asking for account confirmation, or from a religious group or charity that the executive recently donated to. The email has a link that sends the executive to a “confirmation page” that harvests their credentials. The executive’s personal passwords mirror her company credentials, and the spear phisher is successfully through the door.

Common features of a spear phishing email:

Spear Phishing During Crises

Timing and context of spear phishing attacks often make the difference on whether an attack is successful or not, so savvy phishers will wait for a time of crisis for the company and take advantage of that window. They know that an increased sense of urgency can make targets more reactive rather than cautious (i.e. more likely to click through to a fake website or other information collector).

The pandemic is an obvious crisis that everyone is living through, but phishers may also choose a less global crisis — like a damaging news cycle about the company or a personal crisis (sick family member or a divorce) — as the right time to strike. 

Now that more workers are in a work-from-home (WFH) or remote worker situation, a crisis spear phishing attack may be even more effective. WFH workers and executives may be using less secure networks and are not immediately connected to co-workers to check the legitimacy of a spear-phishing request for information.

Does Yubico Offer Spear Phishing Protection?

Without a physical key integrated into the process, phishing victims who click on malicious links may never even know they have been attacked. A fake website may capture a password or one-time-PIN code without the victim even being aware that it is a scam, delaying any report that may help mitigate the damage. 

Yubico has solutions that blunt phishing and spear phishing attacks. A registered YubiKey assigned to each user acts as a regulator between your device and any other devices or networks that are requesting information. When someone clicks on a malicious link asking for personal details, YubiKey prompts an authentication call. When YubiKey detects that the phishing link or a site with an invalid SSL security certificate isn’t legitimate, it will refuse to authenticate and block the attack.
Find out more about Yubico’s phishing solution here.

Learn More

• The Anatomy of a Phishing Email: 5 Things to Look For Before You Click
• How modern phishing defeats basic multi-factor authentication
• Modern phishing v/s common phone and OTP authentication