Phishing attacks are on the rise. According to recent research, this bait-and-switch compromise approach has seen a 1,265 increase over the last two years.
A more targeted subset of phishing, known as spear phishing, is also on the uptick. While spear phishing emails account for just 0.1% of all phishing, they're responsible for 66% of network breaches. Here's what your business needs to know about spotting the hook, blocking the spear, and keeping attackers at bay.
What Is Spear Phishing?
Traditional phishing is a bulk attack. Cybercriminals send thousands of emails to recipients worldwide, hoping that one (or more) will make it through digital defenses, land in someone's corporate inbox, and convince them to click a malicious link or download an infected file.
The scattershot nature of phishing means that emails are often poorly written and contain little to no personalization. Instead, they rely on bold claims to compel action. For example, phishing emails might tell users that their bank account has been compromised, claim that services have been terminated for non-payment, or try to convince users to reset their password. The goal in each case is the same: Get users to provide account data or download infected files. Fortunately, regular security training helps staff recognize the more obvious phishing attempts.
Spear phishing, meanwhile targets specific individuals or groups within an organization in an attempt to compromise or steal data such as usernames, passwords, or personal information. The personalized nature of spear phishing attacks makes them harder to detect, and more likely to succeed.
Explanation of spear phishing and its purpose
The purpose of spear phishing is to obtain network access or steal sensitive data by targeting specific individuals or groups. Spear phishing attacks work because they don't use scattershot emails. Instead, attackers create custom email messages for targeted users that appear to be from legitimate sources. Gone are the spelling mistakes and strange grammar. Instead, they're replaced by what appears to be actual human correspondence from prospective customers, former business associates, or even law enforcement agencies.
Instead of large-scale attacks, spear phishing relies on the human desire to be helpful, especially if requests for help supposedly come from an authority figure or someone higher up the chain of command.
How attackers gather information for spear phishing attacks
For spear phishing to succeed, attackers need information. The more they know about potential targets, the better since they can craft emails that are more likely to be opened.
One common source of information is social media. Attackers may leverage corporate Facebook and LinkedIn pages, along with any personal pages that aren't set to private. Cybercriminals may also use business websites to learn about C-suite members or read recent news stories to get a sense of what the company is doing and where it is headed. Based on this information, attackers create a pretext for contacting victims — a reason that sounds believable and doesn't seem threatening.
Common targets and industries affected by spear phishing
Popular industries for spear phishing attacks include financial firms, healthcare companies, legal offices, and technology firms. But attackers aren't picky — they'll go after any industry with the potential for valuable data capture.
Common targets within an organization include middle management, C-suite assistance, and in some cases executives themselves. This is because people in these roles typically have access to more funds and resources than front-line staff members, making them a tempting target for attackers.
Recognizing Spear Phishing Attacks
The sooner companies recognize spear phishing attacks, the greater their chance of avoiding compromise.
Signs and red flags of a spear phishing email
Common signs of a spear phishing email include:
Action-driven subject lines
Spear phishing emails often include subject lines that attempt to create a sense of urgency. For example, subjects might include "OVERDUE PAYMENT", "MUST BE COMPLETED TODAY", or "ACTION REQUIRED".
Missing or low-quality images
Emails from legitimate businesses typically include high-res company logos or other images. Spear phishing messages may contain low-quality images or text only.
Inconsistent information
Email addresses, domains, and links are often inconsistent in spear phishing emails. While the email address might say CEO@yourcompany.com, the link included might lead to PasswordResetPage@yoourcompany.com. The extra "o" is easy to miss but indicates that the URL is fake.
Odd requests
Spear phishers may ask staff to fill out forms, reset passwords, buy gift cards, or transfer money. While the types of requests vary, they have a similar thread: They're outside the normal.
Techniques used to manipulate victims
Spear phishing techniques are more robust than traditional phishing attacks.
First, attackers are capable of creating believable scenarios that necessitate user action. For example, suppose research reveals that companies are going through mergers or land acquisitions. In that case, spear phishers may send emails that claim payment for legal services or land surveyors is past due, and that work will be stopped until payment is made.
These attacks may also use multiple message types to convince users they are legitimate. Some spear phishing efforts include phone numbers that staff can call to verify message data. These phone numbers are answered by real people who are also part of the scam and provide the same fraudulent data. Attackers may also send SMS messages from local numbers or call employees directly to "verify" their story.
Real-world examples of successful spear phishing attacks
One recent victim of a spear phishing attack was cloud communications provider Twilio. In August of 2022, spear phishers went after Twilio employees using SMS messages that appeared to be from the company's IT department. These messages claimed that users needed to reset their passwords — and to do so, they needed to click on the provided link.
While the link led to a password-stealing fake website, the URL contained words such as "Twilio", "SSO", and "Okta", all of which made the messages seem more believable. Ultimately, more than 163 customer organizations were impacted by the attack.
Protecting Against Spear Phishing
The best defense against spears? Shields. In practice, this means boosting password security, implementing MFA, and making sure employees know how to spot spear phishing attacks.
Best practices for email and password security
Employee passwords should be changed every 3 to 6 months. Companies should ensure that passwords are not repeated and that new passwords contain a combination of numbers, letters, and special characters.
Implementing multi-factor authentication to prevent unauthorized access
Multi-factor authentication (MFA) adds another layer of protection by requiring users to provide something they have, such as a USB token or one-time code, or something they are, such as a fingerprint or other biometric identifier, in addition to something they know, which is their username and password.
By adopting MFA, stealing credentials is only half the battle — even with usernames and passwords, attackers can't gain access without additional factors.
Educating employees about spear phishing awareness and prevention
Spear phishing depends on human connection to succeed. As a result, staff education plays a significant role in shielding companies from email attacks.
Two educational components are critical. First is training staff to recognize the hallmarks of spear phishing, such as missing information or odd behavior. Next is getting employees to ask themselves a simple question: Is this action reasonable? For example, if an email supposedly from the CFO asks administrative assistants to buy thousands of dollars worth of gift cards, does this request make sense? Why would the need be so urgent? And why had it never been previously mentioned? By getting staff to second-guess spear phishing emails, companies can prevent most attacks from coming to pass.
Difference Between Spear Phishing and Phishing
While spear phishing is a subset of phishing, their approaches are different.
Comparison of spear phishing and traditional phishing techniques
Think of phishing as casting a wide net. Attackers send out thousands or millions of emails and see what they can catch. While they know that upwards of 90% of their efforts will fail, all it takes is one successful click or download.
Spear phishing attacks narrow the focus and lean into the social aspect of email. Instead of hoping for staff to make a mistake, spear phishing efforts look to cultivate trust, which in turn compels action.
How spear phishing targets specific individuals or organizations
Spear phishing targets organizations that store or process high-value data, and the individuals who have access to this data. Cybercriminals first conduct research on the company itself, including any recent acquisitions or financial challenges, and then carry out reconnaissance on specific targets with these organizations.
Attackers may impersonate someone outside the company, such as a police officer or lawyer, or may create fake internal email addresses that seemingly belong to CIOs, CEOs, or CFOs.
Understanding the impact and consequences of falling victim to spear phishing
If companies fall victim to spear phishing, the consequences can be costly. First are monetary costs: According to the IBM Cost of a Data Breach Report, costs of successful spear phishing attacks can reach $100 million.
Next are the IT and reputational costs. If networks are compromised, IT teams need to spend time and money ensuring that all traces of the attack have been eliminated and all potential access paths removed. In addition, network breaches may cause business reputations to suffer, especially if customers' personal information is breached or stolen.
Spear Phishing Prevention Tools and Solutions
The right combination of tools and solutions can help limit the likelihood and risk of a spear phishing attack.
Overview of LastPass security features to protect against spear phishing
LastPass can help protect companies against spear phishing with secure, passwordless vault login. Users can login into their LastPass vault on their desktop using the LastPass authenticator or via hardware keys. From there, they can access all connected services without the need to enter passwords, in turn making it more difficult for attackers to compromise credential data.
How LastPass helps users create and manage strong, unique passwords
Using LastPass Premium, staff can easily generate new, secure passwords which are automatically saved and synced, wherever they go.
Other recommended security tools and resources for added protection
It's also worth investing in a robust 2FA or MFA solution to reduce the risk of compromise if credentials are stolen.
In addition, companies can now make use of AI-enabled security solutions to track and monitor suspicious network behavior. If threats are detected, IT teams are immediately notified and can take action before small issues become big problems,
Staying Informed About Spear Phishing
As spear phishing efforts evolve, it's worth staying in the know about what's happening right now, and what's on the horizon.
Latest trends and techniques used by attackers in spear phishing
As noted above, phishing attacks have risen more than 1200% in the last two years.
Why the sudden increase? The rise of generative AI. These tools can be trained to create and send millions of well-written, seemingly legitimate emails which are more likely than those created by humans to encourage user action. As a result, it's worth keeping track of new trends and techniques used by attackers.
News and updates on high-profile spear phishing incidents
There are multiple online resources for security news and reporting. Popular sites include Dark Reading, Schneier on Security, and Infosecuity Magazine.
Importance of regular security audits and updates to stay protected
Finally, companies need to carry out regular security audits and implement regular security updates to reduce the risk of spear phishing. Assessments of current security posture may reveal problems with email security scanning or user access permissions, while regular updates can reduce the risk of undetected vulnerabilities that could create a pathway for spear phishing attacks.
While phishing remains the higher-volume attack vector, spear phishing poses significant risks for companies in terms of resources, costs, and reputation.
Push back on spear phishing attacks with LastPass. Start your free trial today.
