What is spear phishing?

Spear phishing is an email scam targeting a specific individual, business or organizations. It’s like a standard phishing scam except the emails are personalized to target one group or person.

Cyber criminals use these types of attacks with the intention of accessing and selling confidential data to governments and private organizations.

The cyber criminals use individualized methods of social engineering to create a sense of legitimacy to the email. The objective of social engineering is to get anyone from a company or government agency to open a malicious link or visit a virus ridden website.

At that point the cyber criminals can steal the data they need in order to critically affect the target’s networks.

Spear Phishing Could Cost Millions

The city of Naples, Florida lost $700,000 in a spear phishing attack on Monday, August 5.

The money was sent to a fake bank account provided by an attacker posing as a Wright Construction Group representative contracted to work on an infrastructure project in downtown Naples, according to one of their news releases.

The city manager Charles Chapman said the cyber attack was an isolated incident and did not affect their data systems.

Other cities throughout Florida were also targeted in cyber attacks.

How Spear Phishing Works

Phishing and social engineering in general is increasingly becoming a popular method of hacking for cyber criminals, however spear phishing is particularly difficult to detect because they’re designed to appear legitimate and safe. It’s the same with counterfeit dollar bills. The more advanced the counterfeit is, the harder it is to recognize it as fraudulent or fake.
In a spear phishing attack, the hacker gets specific information about their victim to create a sense of trust and security. Like the cyber criminal in Naples who used the information concerning the contract between the city and Wright construction group to his or her advantage. They usually acquire this information through internet research, a previous phishing attempt, maybe a hacked account from within the organization and even social media.

Typical phishing attempts will ask you give some personal information. Sometimes hackers ask for a phone number, other times a credit card or bank account number. Spear phishing attempts follow a similar strategy only more specific. You might be manipulated to click on a link that downloads malware or led to a site that asks for a password or a social security number.

Whaling

There are other forms of spear phishing called “whaling”. Whaling involves targeting institutions posing as a company executive requesting an employee wire money to an account belonging to the hacker. The Naples attack is a modified version of whaling. Instead of posing as the CEO of Wright Construction Group targeting an employee, the cyber criminal posed as a representative of the company targeting one of its clients.

Like phishing, a successful whaling attempt involves coercing someone with a high profile or reputation. The intention can vary but it’s usually all about money. This could mean initiating a wire transfer as in the Naples case or installing malware that infects company servers and steals sensitive data.

Targets of whaling are executives, department heads, spokespeople. This means that they likely have information available to the public that other targets might not. Having importance within a company or an industry means that person is in the public eye. This might limit the pool of targets, but it also raises the reward.

Threats to Businesses

Because of what we’ve mentioned above, spear phishing is not only among the most common types of cyber-attacks, but probably the most dangerous. Most phishing attacks try to cast a wide net, hoping that a handful of email recipients unknowingly give them access to their business and data. All it takes is one person to click and the entire enterprise is at the mercy of a cyber criminal.

The Naples example coupled with these statistics are indicative of how effective phishing scams are. It’s important to be aware of how volatile one of these attacks can be and prepare your business against them.

Red Flags of Phishing

The important thing is to avoid clicking on anything until you know what it is and who it’s from with certainty. If someone you know shares a link or a document with you and it’s out of the ordinary that’s a sign it may be malicious.

If the email has a strange address with too many numbers or letters, it’s probably a phishing scam. Another give-a-way is the vernacular contained in the email.

Here’s an example: Let’s say you live in the US and you receive an email from your boss who also lives in the US and was raised in the US. If the email says something like, “Hey, I need you to run some errands for me this afternoon. Send me your mobile.” Mobile is a phrase commonly used in the UK not in the US and could be an indicator of a fake email. A lot of the time cyber attacks will overlook these small but telling details.

This requires a bit of deduction on your part, but if you’re familiar with the person who allegedly sent the email, then it should use this as a way of catching any abnormalities in their word-usage. A little research goes a long way also. If you’re receiving an email from a company, look it up and message them. If things don’t check out, report it through your email provider like Google or Outlook.

When successfully identifying an email as a phishing scam, alert anyone and everyone in your department. Raise awareness with as many people you can. This puts people in high alert and makes it less likely they fall for the same trick.

Protect Yourself

Phishing and spear phishing specifically might be difficult to spot, but that doesn’t mean you’re helpless against it.
Training employees and raising awareness is the first line of defense against phishing attacks. And with spear phishing becoming more selective, training should expand to clients, vendors and upper management.

Training

Just as we saw with the Naples attack, cyber-attacks are becoming more ingenious and varied. The city of Naples was a client of a construction company and rather than target the company, they targeted the vulnerable client. While employees might protect themselves from phishing attacks by implementing measures put in place by internal IT or a cloud provider, clients might not have these same advantages.

There needs to be a comprehensive training curriculum focused on educating as many people within an industry. Whether it’s clients of a financial firm or the firm itself, for example, there’s no telling who a hacker will target.

Mock tests

Simulating a phishing attack is a helpful tool to assess how employees behave under those circumstances. This would also help in gauging how aware your employees are of phishing attempts.
Spam filters: Once upon a time, spam was just annoying inconveniences that at worst lowered productivity. Now, spam is a useful tool for cyber attackers to target potential victims. Luckily, most spam filters work, and most companies have one.

Be aware of the kinds of information shared on social media. Useful details like birthdays and favorite activities can be found easily in today’s social media culture. Upcoming events can also be used to make spear phishing emails seem more legitimate. Be weary during a big conference or networking event of any strange requests in your inbox.

The Cloud

Cloud service providers often provide the protection and security to prevent a successful spear phishing attack. Nerds Support, for example, advises all its partners to send in any suspicious emails they receive to be analyzed and verified as safe to open. This is a simple technique that comes a long way in safeguarding against these kinds of attacks.
Going back to two factor authentication for a moment,

If an organization moves to the cloud, phishing risks must also be considered. If your company is using a public cloud, you’re accessing any and all relevant applications through the internet. Phishing is most successful when the apps are exposed to the internet, which is standard for a public cloud.

Private cloud hosted apps, like Nerd Support’s have the added security of a VPN (Virtual Private Network). VPN’s simply allow you to establish a secure connection with another network over the internet. However, hacker can always try and find the URL of a cloud service. That allows them to execute targeted phishing attacks on employees of the company.

Two-Factor Authentication

One of the best ways to fight against phishing attacks is a two-factor authentication. This is when you log in and the app or site requires you to log in through another device or apply another password. People see this usually with social media. Instagram and Facebook sometimes ask you to input a code sent to your phone or email. If a user inside a company is compromised in a phishing attack, the attacker won’t be able to access the organization’s IT if the second factor is constantly changing.

Two-factor authentication isn’t typical of most cloud services. Nerds Support offers this feature when you adopt its cloud system but it’s one of few exceptions. Dropbox is another cloud-based hosting service that adopted a two-factor authentication.