Spear phishing is a highly targeted phishing attack with a goal of attacking one specific person, business, or organisation. Its aim is to either infect devices with malware or convince someone to part with information or money.
If a hacker is trying to get login details for a company’s email system, for example, the hacker may send uniquely crafted emails to individuals within the company. They may have stolen your email via a data breach, bought it off the Dark Web, or found it on your company website. They supplement that information with their own research.
Spear phishing research
The research component can be surprisingly easy as we tend to share a lot of information about ourselves online. Hackers can find information about roles, responsibilities and professional relationships on LinkedIn, for example. LinkedIn profiles provide excellent information that helps attackers know who to impersonate, and who to target.
Information on CFOs, and other finance staff, can be found on online directories and lead generation sites. Company websites provide insights into the team, and often the company’s products and suppliers. Facebook and Instagram provide personal insights into targets and the people being impersonated.
All of this research can provide criminals with a surprisingly detailed and accurate picture. Combining research from the company website, LinkedIn profile and a Facebook profile will easily give them:
- your name
- workplace
- your colleagues and managers names
- as well as a bunch of information about your friends and family.
All of this information is leveraged to write very legitimate-sounding emails, eg:
Whaling or CEO fraud
Whaling is a spear-phishing attack that specifically targets senior or high-level executives at a business. Often they involve an attacker attempting to impersonate the CEO or other C-Suite executive requesting someone in the accounts team make a payment or give them highly confidential information.
Sometimes attackers pretend to be suppliers. The ‘supplier’ emails a senior finance executive requesting a change in invoicing or bank details. “Please make all future payments into our new bank account number” is a common one.
Whaling can be very lucrative for cyber criminals, as top executives are more likely to be under pressure, skimming emails and acting on them quickly. They also have executive credentials, with greater access into company data and software. This makes them a highly valuable target, making it well worth taking time to research and craft targeted emails.
As off-the-shelf phishing kits become increasingly good at personalisation features, and dark web criminal services offer Virtual Assistants to research executives and scrape social media, attacks are coming in thick and fast.
Why fake emails are hard to spot
Being so highly targeted, spear phishing emails are quite hard to detect. All that research enables the attacker to craft a genuine sounding email from a person or company you trust. They look like normal business conversations which also makes it hard for spam detection systems to detect.
Not many of us inspect emails closely if they come from reputable sources. If the email address that it is sent from has been spoofed to make it look genuine, it is even harder to spot a fake. Little changes in email addresses are easily missed. For example the letter “o” might be swapped with the number “0”.
Older spear phishing attacks used to attach malicious documents in the email, but we have become distrustful of opening attachments for fear of getting viruses. So now they often house malicious documents on OneDrive, Google Drive or Dropbox. This makes it look more genuine and the links are unlikely to be blocked.
How to spot a spear phishing email
Spear phishing is effective because attackers play on how people think and act. They abuse our human nature to trust authority figures and comply with their requests. When written with enough personalisation, with the right tone, and the right message, it’s very difficult to spot.
The most obvious warning sign is an email address that is slightly different to normal. But email addresses can be spoofed or may be so close that you don’t notice the difference.
So be on the lookout for urgency, especially if it is coupled with a request to break company policy or fast-track payments without the usual checks and balances. They may also play on your emotions by saying you are letting them down if you don’t make the urgent payment, or something similar.
Another warning sign is attached files or links to files that require macros to be enabled. If this is not what you would expect for that file, close it down immediately and get IT expertise.
And pay close attention to wording and terminology. If the email includes lingo, words or expressions that you don’t normally hear from that person, flag the email. It could be as simple as the “CEO” signing off with “thanks” when they always use “cheers”. Or calling it a “wire transfer” when it’s normally referred to as a “bank transfer”.
Is your cyber security up to scratch?
Most small businesses do not have enough
cyber security layers in place to fully protect their business. Are you doing enough?
Contact us for a confidential chat about your personal or business circumstances and we can advise you on what protection you need. Or we can take care of everything so you have total peace of mind with our
Small Business Cyber Security Support Package.