One of the most well-known computer threats is phishing, so the malicious attempt by cybercriminals to acquire sensitive personal data and information, such as financial data or a user’s codes and passwords, by disguising themselves as a legitimate and reliable person or entity like a colleague at work, a business partner, a bank or company.
Typically, in phishing attacks the emails are very generic and looks like legitimate messages from service providers, at least in appearance and content, and are sent to large volumes of people at once. The fraudulent messages always require the victim to enter sensitive information, such as the credit card number or password to access to a particular service, usually on some fake website or simple landing page. This is an effective method for cybercriminals, because it increases the likelihood that at least some of their targets will respond to requests.
Spear phishing is a more dangerous version of the common phishing attack, as it targets a specific person and uses social engineering techniques to trick the target into divulging sensitive information, downloading ransomwares or other malwares. The messages usually contain links, attachments or “calls to action” to click somewhere and “verify” or “update” the information, leading directly to malicious sources.
Typically, spear phishing emails target users who have specific access to the information the hackers want and the contents appear to be extremely persuasive.
What does spear phishing mean?
To better understand what spear phishing means, it’s needed to take a step back and look at the concept of phishing as a whole. Phishing is an attack on people, not technology: it is a form of social engineering designed to trick the victim into providing confidential information or downloading malicious software.
The term phishing comes from fishing and alludes to the fact that, like fishermen, cybercriminals try to hook the victims by displaying something attractive and using sophisticated techniques to “fish” users and steal their personal and financial data. Thus, taking this definition into account, spear phishing is a very accurate attack attempting to “fish” a specific target person’s data and information.
Spear phishing: types of attacks
There are different types of spear phishing attacks, such as:
- Corporate emails – attackers get unauthorized access to a corporate email account, or even create a similar fake one, and impersonate its owner to send specific phishing messages to target colleagues or partners, typically for fraud;
- Whaling – cybercriminals prepare very sophisticated and well-planned attacks that usually target members of an organisation who are likely to have privileged access to key data, such as high-level executives or equivalent;
- CEO fraud – this is a type of attack based on scam messages closely related to whaling, but in this case cybercriminals impersonate the company’s CEO and usually create a sense of urgency to employees for providing information with accurate and realistic reasons;
- Clone phishing – this is a very common kind of attack where phishers pose as financial or services institutions and send emails that appear reliable to the victim, trying to steal personal data with communications based on realistic issues;
- Angler phishing – hackers target users who interact with companies on social media, usually posing as company representatives to respond to complaints, make offers and even attempt to begin private conversations in order to learn personal data, information and issues which can used for further more dangerous attacks.
How to detect a spear phishing attack?
Employee training is the best way to prevent spear phishing and raise awareness of the risks of cyber crimes, introducing a deep corporate cyber security culture.
However, there are a few clues that help detect a spear phishing attack:
- Neglected details – cybercriminals can mimic URLs, email addresses, a company’s branding and many other elements, but usually there are small key details that might seem to be slightly edited and formatted incorrectly and represent a clue for spear phishing victims to detect the attempted attack;
- Poor grammar and spelling – most professional communications, especially B2C messages such as those coming from a bank account, are always corrected before sending to users and furthermore most email services nowadays automatically report messages containing spelling or grammatical errors, thus this represents a good factor to detect suspicious messages coming from non-legitimate sources;
- Unusual language – sometimes even the language used for an email can be suspicious even if it doesn’t contain errors, nevertheless it may seem disjointed from the usual writing style of the alleged sender, thus it could be a phishing attack;
- Unusual requests – a message that contains unexplained or strange requests can be a reason to be cautious about such communications, for example a spoofed email from a bank asking to authenticate identity by making a wire transfer is typically a model used for spear phishing attacks.
Data protection: how to defend from spear phishing attacks?
To prevent a spear phishing attack it is necessary to follow the main best practices that guarantee data protection. They include:
- Keep operating systems and browsers up-to-date – this is the first line of defense against cyber-attacks, as it prevents phishers from leveraging on well-known vulnerabilities in outdated OS or softwares and prepare proper attacks;
- Protect data with automatic backups – implementing a regular system data backup process ensures an easier data recovery in case of a breach;
- Implement two-factor authentication – this point is key as it puts into play additional layers of defense between attackers and personal sensitive data;
- Adopt security protocols – security policies must be established, implemented and monitored regularly by IT teams in order to mitigate the risk of attack;
Educate employees on cyber security – employee training is the most important process to encourage a shared culture of cyber security within the organisation.