Spear phishing is sending illicit emails to someone to make them do something to the threat actor’s benefit. What is a spear phishing attack? It’s a one-on-one scam, and you’re the target.
- Phishing Versus Spear Phishing
- How Spear Phishing Works
- Impersonating Outsiders
- Whaling
- Don’t Get Speared
Phishing Versus Spear Phishing
One method of fishing is to throw a net over the side of a boat. You’re trying to catch as many fish as possible, and you don’t care what comes up in your trawl. With spear fishing, however, it’s a targeted hunt. Your net doesn’t go over the side of the boat, you do. You search for your quarry, spot them, stalk them, and shoot your spear at that one fish.
Email phishing is similar. Using thousands of email addresses gathered from data breaches, phishing campaigns send scam emails to as many people as possible. It’s a numbers game. If they send enough emails—and the emails are sufficiently convincing and persuasive—they’ll snare some victims. Like our first fisherman, they’re casting their net wide and they don’t care who gets caught. They’re entirely focused on how many get caught.
In a spear phishing attack a single person is selected as the victim, and a trap is baited specifically for them. The email will try to coerce them into transferring money or clicking a malicious link or attachment. It’s another form of attack that belongs to the business email compromise (BEC) family of threats.
As a quick aside, the “ph” in phishing is a doff of the cap to John Draper, one of the earliest phone freaks. They used to compromise corporate phone systems from the outside, and manipulate them into providing free long-distance phone calls. Someone noticed phone and freak both start with a soft “f” sound, and the term “phone phreaks” was coined. Modern hackers reused the “ph” for phishing.
How Spear Phishing Works
Pick Your Victim
Spear phishing attacks are more complicated than normal phishing campaigns. A phishing campaign may try to drive as many victims to a fraudulent website as possible to harvest their credentials or credit card details. Or it may try to entice victims into opening an infected attachment to infect the network with malware such as ransomware or rootkits.
By contrast, a spear phishing attack is designed to get one person to do one thing. Typically, this will involve the threat actors posing as a senior figure within the same business, and targeting a carefully selected victim.
The victim must be senior enough to have the authority to perform whatever action the threat actors are trying to persuade them to do. But they must not be so senior they feel comfortable challenging an instruction that has ostensibly come from an individual several grades more senior than themselves.
Reconnaissance
Spear phishing requires reconnaissance by the perpetrators. There’s a wealth of background information available to the threat actors. If the corporate website has a “meet the team” page, the threat actors can easily see the structure of the business, people’s names, and role titles. Testimonials on websites reveal customers that the threat actors can pose as, or make reference to in the scam emails to give them a veneer of validity.
LinkedIn is another rich source of information. People describe their roles and responsibilities in their public profiles, making it easier to select victims and the people to impersonate. Other subtle but valuable clues can be gleaned from LinkedIn. If someone is called Thomas but everyone who comments in their timeline calls him Tom, you’ll know you need to call him Tom when you send him your scam email.
Other information from social media can be used to generate a sense of urgency, and a smokescreen for why things need to be done outside of the norm. Travel plans or time out of the office is a commonly leveraged piece of information. People often post about attending a conference, a training course, or going on leave. The threat actors can use this to their advantage.
Social Engineering and Spear Phishing
If the victim is going to be out of the office in the coming week, one ploy is to send them the spear phishing email late in the current week, on Thursday or Friday. The email will appear to come from a senior staff member, it will address the victim correctly—Tom, not Tommy or Thomas—and it will apologize for dumping this task on them at short notice. “I know you’ll be trying to clear your desk because you’re not in next week.”
That simple message contains some clever trickery.
- The email address is spoofed—a simple process, with the right software—to make it look like it has come from the senior staff member when it actually came from another email address entirely. If the victim replies to the email it is received by the threat actors, who can then respond to the victim.
- The email greets the victim by name.
- It acknowledges that they are out of the office next week.
These things reinforce the expectation that this is a genuine email. The victim isn’t thinking “Is this a real email?”, they’re thinking, “This is all I need, what does this guy want from me, now of all times?”
The victim’s focus is solely on doing what the senior executive requests, and as quickly as possible. This introduces a sense of urgency. To crank up the pressure, the email will contain language like “I’m giving this to you because it is vital it gets done today, by 3pm, and I’m told I can count on you,” and “This is a sensitive matter, it is vital that you’re discrete.”
Usually, the victim is in the finance department, and of middling rank. They are being asked to transfer money to a particular account, the details of which are in the email. The email may claim it is the account of a customer, whose name has been lifted from a testimonial on the website. The cover story varies, but the bottom line is usually the same, “Transfer this sum of money into this account.”
Because the threat actors will receive replies to their emails, the first email may only be an attempt to strike up a conversation, “Do you have a moment? I need you to do something for me.” The conversation eventually requests the transfer of funds. In the meantime, it is compounding the impression that the victim is having a one-to-one email exchange with the senior executive, board member, or whomever the threat actors are impersonating. This can play to the victim’s vanity.
If the person being impersonated is going to be out of the office the victim will get an email that looks like it came from the senior executive who has made an error he needs help with. “Apologies, I forgot to do this before I left the office. This is important and needs to be done quickly. Make a payment of sum of money into this account, details attached. I’ll sort out the paperwork when I’m back. I’m with them now, so let me know as soon as you have done it. Thanks.”
Again, this generates a sense of urgency. It puts the victim under pressure to pull the senior executive out of a hole and to save the day.
Of course, the email doesn’t have to center around someone going out of the office, that’s just an example. The deadline could be the approach of the end of the month, end of the quarter, or the end of the financial year. Quite often it is by the close of play today, or the cut-off for a bank transfer today.
Other Prizes
When money isn’t the driving force for a spear phishing attack, the prize the threat actors have their eye set on will be information. It can be used to try to have proprietary or business confidential documents emailed to the threat actors.
It can be used to obtain information about the victim’s account details and authentication credentials. It has been reported that it was a series of phone calls and well-played social engineering that allowed the threat actors to obtain administrator-level access to Twitter’s internal systems, resulting in the highly publicized breach of July 2020.
Spear phishing relies partly or wholly on email. So, strictly speaking, the Twitter attack was more a vishing (voice phishing) social engineering attack than a spear phishing attack, although that is what it has been called in the press.
Impersonating Outsiders
Suppliers can be impersonated too. Posing as a supplier and asking a selected victim in accounts to update that supplier’s payment details is a common attack type.
“We’ve changed banks, can you update your records please?” or “We’re segregating domestic and overseas customers to different accounts. Please use the following account with immediate effect.”
These types of change happen from time to time, and a busy finance department will see them occasionally. This makes spotting a fraudulent request very difficult.
Whaling
Whaling is a refined form of spear phishing. The person selected as the victim is right at the top of the organization. In some professions such as law and accountancy, the trend is for the most senior individuals to be the oldest people in the company—it takes a long time to get to the top. They can also be cyber-naive.
Whaling attacks are well researched, and usually require some knowledge of the profession or industry of the target company. They are well written and strike the right tone. They employ the correct business parlance to convince the recipient to click a link, open an attachment, or to request a payment.
The email may appear to be from the victim organization’s holding company, its charity of the year, or any institution that they may collaborate with, such as think tanks or academic establishments. The email may make oblique reference to established trust structures that exist outside of the cyber-realm, the mention of which may placate the victim.
A whaling attack is often started by email and completed with a mixture of email and phone calls. The victim of whaling—the whale—is too senior to actually make the payment themselves of course. They’ll instruct someone in accounts to do it.
So a whaling attack can cause someone in accounts to receive an email that genuinely has come from an individual at the very top of the organization, asking them to make a payment. The email and the request are real and will be vouched for by the whale if they are queried. It’s just the payment that is bogus.
Don’t Get Speared
There isn’t much hacking expertise required to perform a spear phishing attack. It boils down to sending an email and asking for money. It’s the window dressing and social engineering that wins the day for the threat actors, not their digital skills.
These steps will help protect you against phishing, spear phishing, and whaling.
- Emails that carry malicious attachments may be stopped by digital systems such as antivirus, anti-malware, spam-filtering, and other mail marshaling systems.
- Text-only spear phishing emails are harder to detect and stop. As with all email-based cyberthreats, it’s your staff who are on the receiving end. Their diligence is key in fighting these threats.
- You can train your staff to recognize spear phishing attacks by conducting simulated attacks.
- Regular staff awareness training should be established, as should procedures to query suspicious or out of the norm requests.
- Staff should feel empowered to query anything that they think is suspect. And doing so should be recognized as someone being conscientious, not cantankerous.
- Process and procedure can help too. If—no matter what—no payments or transfers can be made without multiple people reviewing and authorizing the request, the risk of a feigned pressure-cooker situation leading to an individual being overwhelmed and making a false payment is reduced to practically zero.
- Don’t permit suppliers and other payment details to be amended without confirmation by phone call.