The term “spear fishing” might conjure up images of an ancient method of hunting an aquatic dinner, a sport once considered (but rejected) as an Olympic category, but the alternate spelling means something very different to those in the IT field. 
Spear phishing is a less widely known subcategory of the attack type known as phishing, a scam designed to trick Internet users into revealing personal information by using fraudulent emails and web sites. When an attacker “goes phishing,” he/she usually sends out bulk mailings, much like baiting a hook and tossing it into the water to see what bites. Verizon’s 2019 Data Breach Investigation Report indicates that 32% of the previous year’s data breaches involved phishing. And according to Vade Secure’s Phishers’ Favorites Report for the second quarter of 2019, the companies most often impersonated by phishers are Microsoft, PayPal, and Facebook.
Spear fishing is a little more sophisticated. In spear phishing, as in its sporting counterpart, the attacker targets particular individuals or companies. Spear phishers do their homework and pretend to be people are organizations well known to the victim. Earlier this month, the city of Naples revealed that the municipality was the victim of a spear phishing attack that resulted in the loss of $700,000 by an attacker who impersonated a construction company with which the city was doing business.
Because spear phishing emails are highly personalized to lure specific victims, they can be very difficult to defend against. Because they appear to come from a person or organization that knows the victim, even tech savvy users are much more likely to fall for them. Attackers use bits and pieces of information about you that’s available on the web and on social networking sites such as Facebook or LinkedIn to construct messages that are very convincing.
Phishing attackers may spoof the email addresses of your friends, or of your bank or credit card company, and then put information unique to you in the text of the message. When you get dozens of ordinary phishing messages warning that your password was compromised on banking web sites where you don’t even have accounts, or requests for help from people whose names you don’t recognize, you’ll probably immediately spot them for what they are and ignore them (even if the sender is a billionaire Nigerian prince). But when the message is from your own bank and contains the last four digits of your account number, or the return address shows as that of a long-time close friend, you’re far more likely to respond.
If you click that link to go to what purports to be your bank’s password reset page and enter your old password there so you can change it, now the phisher has that “old” password (which you didn’t actually change) and can get into your account before you discover what happened. As an added bonus, visiting that web site might automatically download malware to your computer so the phisher can gather even more of your information. If you foolishly send money through PayPal or Facebook to that friendly imposter, you’ll never see it again and your real friend will have no idea what you’re talking about if you should mention the “loan.”
There are protective measures and products you can use to help thwart spear phishing attacks, but attackers are always perfecting their techniques to keep one step ahead. For example recent trends indicate that compromised email accounts are able to circumvent many existing email protection systems in targeted lateral phishing attacks. Those systems must constantly evolve to meet the new and more sophisticated threats.
The first step in protecting against spear phishing is to implement standard security best practices: keep operating system and application software security patches up to date, encrypt sensitive data at rest when stored on hard drives or in the cloud and when in transit over the network, and use multifactor authentication whenever possible. These measures help to keep attackers from gaining access by exploiting vulnerabilities and prevent them from being able to read or use your information if they do.
More specifically, since spear phishing usually begins with a spoofed email address, email authentication technologies that use the Sender Policy Framework (SPF) to verify the authenticity of messages can go a long way toward combatting corporate spear phishing. The SMTP protocol used to send email doesn’t include any authentication mechanism, so SPF addresses this by using DNS records to determine whether a mail message that claims to come from a specific domain is sent via an IP address that was authorized by that domain’s admins.
A very important but often overlooked element in protecting your organization from the consequences of phishing attacks is employee education. Verizon’s report showed that at least 30% of phishing messages are opened by targeted users.
Spear phishing awareness training should include:
- Simplified and understandable information as to what spear phishing is,
- The potential harm that can be caused by falling for the scam, which includes compromised user credentials, unauthorized charges, and data breaches that could subject the company to loss of customers and even hefty fines for violations of regulatory compliance requirements,
- How to recognize messages that are likely to be spear phishing attempts, and
- What to do if a suspected spear phishing message is received.
Spear phishers often inadvertently leave subtle clues as to the nature of the message. The wording and style of the email may seem out of character for the person or organization from whom it claims to be. The message may direct the user to do something out of the ordinary, such as going to a site to confirm personal information when this has never been the norm, or requests for wire transfers or money sent via a gift card or PayPal instead of the usual payment method for that organization.
Links in phishing emails, when hovered over to show the URL, may indicate that they go to a site that’s different from what you would expect. Phishing links may also be sent in attachments such as Word docs or PDFs to avoid email detection systems.
The phishing websites to which users are directed often look identical to the legitimate sites they spoof, with logos and other branding stolen from the genuine sites and text copied exactly. URLs may look right but be very slightly misspelled or using ASCII characters that look just like other characters (such as substituting a lowercase “L” for an uppercase “i.” This is sometimes called a homoglyph attack.
Spear phishing message often attempt to convey a sense of urgency so the recipient will act out of panic without thinking too hard about the legitimacy, such as announcing that your organization’s credit account will be revoked if you don’t act immediately, or that late fees will be added to your invoice, or that your information is at risk if you don’t quickly go to their site and change your passwords (which, of course, means typing in – and revealing to the phisher) your current password).
Users should learn to be on the alert for all of these signs. Many organizations follow the training with random testing, in which the IT department sends spoofed messages to discover whether users will report them, ignore them, or fall for them (the latter indicating the need for additional training).
Spear phishing accounts for a large percentage of data breaches, and both the number of phishing messages and the cost of a data breach continue to climb. While avoiding phishing scams might seem to be merely a matter of common sense on the part of users, the more sophisticated attacks are fooling even seasoned professionals. Taking steps to protect your organization from spear phishing can make a difference of thousands or even millions of dollars to your bottom line.