What is Spear Phishing in Cybersecurity?
According to VPN provider and Internet research group Atlas VPN, Google registered over 2 million phishing sites targeting victims in 2020 alone. Threats like phishing, spear phishing and whaling are only rising, with F5 Labs reporting that more hackers are leveraging cheap or free cloud platforms and domains to launch sophisticated attacks. More importantly, email attacks against large enterprises are rising as well to the tune of around $80M per attack.
Here, we will give a rundown of spear phishing and phishing attacks, what they mean for your organization, and the key steps you can take to mitigate these threats.
What is Phishing, and How is Spear Phishing Different?
Phishing is one of the oldest forms of hacking around and has been a part of the internet and cybersecurity since the earliest days of email. The reason that email phishing is so common is that email “from” information is relatively easy to spoof. The “from” name isn’t unique, so any email can technically have a “from” name from someone in your organization.
A phishing attack is when a contact in your organization is contacted via email, telephone or text by someone pretending to be someone else either in your organization or related to it. Some examples of phishing include:
- A person or group of people send out fake mailers utilizing stories about lost wealth, unclaimed bank accounts or contest winnings to attempt to get users to send personal details or even money. The classic “Nigerian Prince” scheme was one of the original phishing scams.
- A hacker sending out a mass email in which the sender’s email address is “spoofed” or faked to look like someone legitimate, like a person inside an organization or from an official source like a bank. This email will attempt to pass itself off as being from this person in order to convince recipients to send personal information, like account logins, passwords or address information. They may also attempt to get users to navigate to fake sites that ask for this information or attack a system as soon as it loads.
- A scam call center calls unsuspecting customers pretending to be from a legitimate company that provides Internet or phone service and asks those users to provide personal information or remote access to their computers. At this point, they can steal personal information or hold those systems hostage with ransomware.
In either case, the fraudsters will perform these hacks across a high volume of victims. That’s where the term “phishing” comes from. Not everyone will fall from it, but even if only 1% do, that could mean big gains when targeting hundreds of people, a day.
Whereas phishing uses broad (and sometimes easily detectable but cheap) methods of attack, “spear phishing” leverages more involved research and targeting to increase the possibility of getting a bite from a victim. The victim, in this case, is typically a specific person or a specific group of people in an organization.
For example, a spear phishing attack could use insider information to determine the best ways to attack specific persons in your organization using carefully faked emails. These attacks can also include the delivery of viruses through email attachments, with the idea that the victim is more likely to trust them. As cloud storage services have grown in usage, some spear phishers use these to attempt to gain access to file-sharing platforms.
What is Whaling?
Whaling is a refined form of spear phishing that targets high-level victims. Also known as CEO fraud, whaling relies on gathering extensive knowledge of high-ranking individuals in your organization, up to and including C-suite executives (thus the “whale” rather than the “fish”).
Surprisingly, these forms of attack are growing. Most people think that executives have a higher level of technical knowledge, but this isn’t necessarily true. More importantly, with the sheer volume of emails, messages and phone calls that many business people get in a day, it’s incredibly easy to miss the signs of a phishing attack.
This is what hackers count on. The volume of information that we receive on a daily basis is overwhelming for most anyone, and when a specific email is filled with tricky and relevant information from a trusted source, it is easier than you think to miss signs of an attack.
Couple that with the ability of hackers to spoof emails to look like nearly anything they want, from a PayPal request form to a legitimate and branded business email, and it’s easy to see why spear phishing and whaling attacks are so prevalent.
How Do You Protect Yourself Against Spear Phishing Attacks?
There are true tried-and-true methods to approach spear phishing attacks, none of which are 100% perfect. These include:
- Automate email notifications as coming from outside your organization. Most email providers for enterprise clients will include ways to include warning messages in emails based on certain criteria, including where it is from. A good way to set up an initial line of defense is to have every email sent from a domain outside of your organization flagged with a warning. This can help draw readers’ attention to potentially fake emails and raise concerns if an email purporting to be from someone inside your organization is in fact flagged as being from someone outside of it.
- Train your people to be careful. The weakest link in phishing attacks are people who aren’t paying attention to the small details that give attacks away. Provide proper training for employees on how to spot problems with emails, including strange addresses or other markings.
- Set a focused IT policy on email and data sharing. When in doubt, make it a company policy. Set strict requirements for what information your people can or cannot share over email. These regulations can help draw attention to emails that act like they are from someone else inside your organization but ask for data that is prohibited by policy.
- Include a central contact for IT support. Make it easy for your team members to report suspected emails quickly, even if it is just for a quick glance and confirmation that an email is a phishing attack.
- Use password management and Two-Factor Authentication (2FA). Many compliance frameworks require this, but having 2FA in place, and a regular password management system, can make it harder for hackers to access systems in the event of a successful phishing attack.
Set Effective Compliance and Cybersecurity Policies with Lazarus Alliance
All of the above-listed mitigation methods are usually part and parcel of a comprehensive compliance strategy. If you are in a regulated industry and have compliance demands while at the same time facing significant spear phishing attacks, contact Lazarus Alliance at 1-888-896-7580 to discuss your organization’s cybersecurity needs.