What Is Spear Phishing?

Spear phishing and standard phishing share similarities but also have some distinct differences. Both effectively trick targeted users into divulging sensitive information, but spear phishing requires much more effort from the attacker. Spear phishing requires reconnaissance and an understanding of the targeted user so that emails contain just enough information to make them seem like they are from a legitimate sender.

First, let’s discuss standard phishing to identify the differences. Generally, phishing campaigns have no specific target. For example, the attacker might create an email message that uses the PayPal logo and content that sounds like a legitimate PayPal representative. The email usually won’t contain the user’s name, and the attacker doesn’t even know if the recipient has a PayPal account. The message might simply ask the targeted user to reply or click a link to a malicious website.

An attacker might send thousands of phishing emails to an email contact list. In some attacks, the domain name used to send malicious messages looks similar to the official one. For example, an attacker might register the domain “payypal.com” and use it to make the sender look official. Another phishing strategy uses email spoofing. Spoofing uses open email servers to manipulate the sender domain to “paypal.com” even though the message is not actually from a legitimate PayPal employee. DMARC (Domain-based Message Authentication, Reporting, & Conformance) is a newer cybersecurity strategy for email that detects spoofed email messages and blocks them, so spoofing is not the threat it used to be, provided the recipient email server uses DMARC.

With a message set up and a list of recipients, attackers can now send their malicious messages. Attackers know that some messages won’t go through. Cybersecurity filters will block others on the recipient’s email server, and some messages will be automatically deleted when targeted users realize the message is phishing. However, there will be a group of users who'll receive the phishing email and send the attacker sensitive information. Specific targets aren’t necessary for an email blast targeting thousands of users because attackers know that dozens of recipients will become victims.

While standard phishing is effective for smaller payouts, spear phishing takes a more targeted approach for bigger gains. They normally target high-privileged users within an organization, such as accountants, human resources employees, and C-level executives. These attacks require much more research into the target organization to understand what messages will work. Spear phishing can also be used in combination with social engineering to be more effective.

Spear phishing uses much more compelling messages than standard attacks. For example, attackers who claim to be the CEO could trick finance executives into sending money to their bank account. Fake invoices could be used to trick accounts payable employees into sending money to the attacker. To steal credentials, an attacker might create messages that seem like IT is asking for information. To mislead users, the messages must sound like they're from a legitimate person the recipient knows, which is why social engineering might also be used.

Because spear phishing is much more targeted, fewer users receive messages. An attacker researches the organization and creates messages for the few high-privileged users who have been selected as targets. The users chosen are usually from organizational charts on the organization’s website or using LinkedIn for reconnaissance.

Attackers using a spear-phishing strategy could trick the organization into sending millions of dollars to an offshore bank account or critical network credentials. Money transfers to an attacker-controlled bank account are devastating, but stolen network credentials could be even more damaging. Two-factor authentication and intrusion detection systems help stop further damage after a successful phishing attack, but a threat actor usually employs other methods to steal data. Malware injections on the network or data exfiltration using the stolen credentials are other options.

With stolen credentials, an attacker could maintain a presence on the victim’s network for months before detection. During that time, an attacker could exfiltrate terabytes of data without detection. Once detected, the organization must contain the threat and determine the vulnerability responsible for the compromise.

An example of a spear phishing attack can be something simple like “Wade, based on your love of the early reds this year, I’d suggest a visit to Domaine Maleficent (spoofed or compromised website), which Bob also loved. Check out their e-store.” This spear phishing example can be highly effective if Wade’s public information indicates he's a wine enthusiast, a friend of Bob who also loves wine, and the email originates from a Facebook connection through a spoofed email.

Notice in the above example that the attacker customizes the email to the interests and personality of the targeted victim. This customization is what differentiates spear phishing from standard phishing. This differentiation is what makes spear phishing more time consuming for the attacker, but it’s also highly effective in how it works.

Providing examples of spear-phishing attacks will help you train users and identify them when your organization is the target. Don’t assume that your organization could not be a target because it’s too small. Attackers know that small businesses have fewer cybersecurity resources than large ones, so small businesses are also a target. Any size business could be the target of whaling and spear phishing.

Threat actors often use names of well-known businesses to increase the probability of success and give targeted users a sense of trust. PayPal, Amazon, Google, and Microsoft are four large household brands used in spear phishing. These brands give users a sense of trust and have millions of customers that could be tricked into clicking links in an email.

Another example of phishing uses Google and Microsoft to trick users into sending money to an attacker's bank account. The email claims that the user won money from either Google or Microsoft, and to receive funds, the targeted user must send a small fee for mailing costs. Although Gmail is good at filtering these messages, users find them in the spam inbox and respond to them. These messages should never reach the intended recipient in a business environment and should be quarantined instead of reaching a spam inbox.

Spear phishing strategies:

Look for email protection solutions that use analytics to detect suspicious emails. Dynamic malware analysis can analyze destination websites for malicious behavior and simulate a real user system to counter evasive techniques built into malware, driving the malware to reveal itself in a sandboxed environment. Sandboxing at the time of delivery of a suspicious email and when users click on a URL is likely to result in greater detection of these highly targeted threats.

Security awareness training programs play an equally critical role in defending against spear phishing. Most security decision-makers surveyed by Osterman Research advocate some mix of security awareness training and technology-based solutions, although support varies based on the specific type of threat. In spear phishing, 37% of those surveyed said that the solution is primarily about training, but that improved technology can help, while 44% said training and process are equally important.^[2]

Whatever the mix, what’s really important is adopting a people-centered security posture. Attackers do not view the world in terms of a network diagram. Deploy a solution that gives you visibility into who’s being attacked, how they’re being attacked, and whether they clicked. Consider the individual risk each user represents, including how they’re targeted, what data they have access to, and whether they tend to fall prey to attacks.

Train users to spot and report malicious email. Regular training and simulated phishing attacks can stop many attacks and help identify especially vulnerable people. The best simulations mimic real-world attack techniques. Look for solutions that tie into current trends and the latest threat intelligence.

At the same time, assume that users will eventually click some threats. Attackers will always find new ways to exploit human nature. So, find a solution that spots and blocks inbound email threats targeting employees before they reach the inbox. And stop outside threats that use your domain to target customers and partners in spear-phishing attacks.

A few other ways that you can protect from spear phishing: