Spear phishing is a common type of cyber attack in which attackers take a narrow focus and craft detailed, targeted email messages to a specific recipient or group. This requires the attacker to research their target to find important details that can give their messages a thin veneer of plausibility—all in the hopes of fooling and ensnaring a valuable target into clicking or downloading a malicious payload, or into initiating an undesired action such as a wire transfer.
Spear phishing attacks may target just one organization at a time, or even specific teams within one organization. When spear phishing attacks get even more granular, they often go after the biggest possible targets with a laser focus, such as C-level executives or senior managers; this kind of hyper-specific phishing attack is colloquially called whaling.
While, on the other hand, standard phishing attacks aim to impact as many targets as possible with the assumption that some users will likely fall victim to the ruse. These types of attacks are much more prevalent with less effort and output required for the prospective attacker to compromise a target, rather than attempting to phish a senior-level executive or specific organizations.
When a criminal sends a phishing email, they cast as wide a net as possible in the hopes of making a catch. To do this, they send spam-y emails to try to convince unwitting users to click a malicious link or attachment, often while pretending to be from a legitimate source, all in hopes of obtaining sensitive information or valuable credentials.
Phishing attacks have been pervasive for so long simply because they are cheap to deploy, yet still effective enough to be lucrative. But as email security becomes more sophisticated, common phishing tactics are becoming easier to flag, and even those phishing emails that do arrive at their intended destination are no longer effective enough to fool wary users.
As a result, attackers are employing new tactics to make their phishing emails more believable. Original phishing methods—casting a wide net—are ceding ground to methods that focus on using real details to convince their potential victims of their legitimacy. Spear phishing is just one term for this attack style.
Enterprises are especially susceptible to spear phishing attacks, as so much of their company data is usually freely available online for attackers to mine without raising any red flags. Official corporate websites can be a gold mine of organization-specific technical details and jargon, key company personnel, customers, events, or even the names of internal software tools. Social networks like Facebook, Twitter, and LinkedIn often not only offer the personal details of where someone works, or where they've worked in the past, but with just a cursory search attackers can easily reveal the corporate hierarchy.
In a spear phishing email, these little details available freely online can help an attacker sprinkle their email with names, places, or terms that lend enough validity to convince an otherwise savvy email recipient to click a malicious link. That link may send them to a website ready to capture sensitive internal-only credentials, thus allowing the attacker to roam freely on the corporate network and steal intellectual property or customer data.
For example, by knowing how an organization's internal email addresses are structured, the names of account managers (handily self-identified through LinkedIn), a key customer name (on the company blog), and who the head of sales is (on the corporate website), an attacker could craft a convincing email to the entire account management team, purportedly from the head of sales, about an urgent issue relating to one of their biggest customers. The email could say that the recipients need to review the memo on their corporate intranet at a specific link—a link that very well looks like their intranet portal but is actually a malicious decoy version set up to capture usernames and passwords. Financial teams are often targeted during tax preparation season with spear phishing attacks, pretending to be sent from company CEOs or CFOs needing urgent W2 paperwork reviewed.
All of the common wisdom to fight phishing also applies to spear phishing and is a good baseline for defense against these kinds of attacks. Never clicking links in emails is an ironclad rule to preventing much of the damage phishing-type attacks can create. That said, since spear phishing is a more sophisticated version of a plain old phishing attack, organizations will need to ensure their policies reference these more advanced tactics and implement stronger solutions to help educate employees to defend accordingly.
Additional tips to help organizations prevent spear phishing attacks include:
A robust phishing awareness training program goes beyond classroom training. The best training programs also deploy recurring simulated phishing “tests,” in which convincing (yet harmless) spear phishing emails are sent to your organization’s employees. If an employee falls for the phishing attempt, they’ll be able to learn first-hand just how effective these campaigns can be and what to look for in the future—all while keeping organizational data safe in a controlled environment. In the fight against spear phishing, employees are the front line, which is why every organization can benefit from phishing awareness training programs focused on phishing protection to keep their employees sharp and on the lookout for this ever-evolving attack.