Spear Phishing

What Is Spear Phishing: Attacks & Training

Spear Phishing is an advanced and evolved form of phishing – a carefully researched attempt to trick a targeted victim into revealing confidential information. It’s a highly effective tactic and, with spear phishing attacks accounting for over 90% of successful data breaches, it’s also one of the biggest risks facing businesses today.

Read on to learn more about spear phishing and how our Security Awareness Training can help protect your organisation.

What is Spear Phishing?

Spear phishing is a precise phishing attack where the hackers research the target to find ways of making their ‘bait’ messages sound more personal and authentic.

This could include learning the target’s job title and company hierarchy to impersonate their boss, or finding information on their friends, family and financial circumstances to help commit fraud.

Spear phishing attempts are commonly carried out by email or text message (known as ‘smishing’) and the more research an attacker does, the more successful their attack is likely to be.

"The average impact of a successful spear-phishing attack: $1.6 million"

How many businesses are targeted by spear phishing each day?

With an estimated 3.4 billion phishing emails sent every day, it’s impossible to know exactly how many businesses are targeted specifically by spear phishing attacks.

Government data*, however, found that 39% of UK business suffered a cyber-attack in 2022 – with a whopping 83% of those attacks being classed as a phishing attempt.

How do spear phishing attacks differ from standard phishing attacks?

The main difference between spear phishing attacks and standard ‘spray and pray’ phishing attempts is that spear tactics are more personalised.

‘Spray and pray’ relies on quantity over quality, sending vague messages to as many people as possible – think deep-sea dredging rather than fishing from a line.

Most of these standard phishing attacks go after basic – but sensitive – user data and require very little social engineering skill.

Spear phishing, however, takes the opposite approach. These attackers use a combination of social engineering, patience, and tenancy to target the big phish.

By carefully researching and targeting specific employees or businesses, hackers can aim for higher value information, such as private documents, organisation secrets, confidential user data, and large financial accounts.

How a spear phishing attack works in seven steps

We’ve outlined the seven main steps a hacker will use to coordinate a successful spear phishing attack, to help you understand how you can protect both yourself and your organisation.

Target reconnaissance

The first step of any successful spear phishing campaign is research. Knowledge is power and the more information the hacker can find on a company’s people, structure, and processes, the more likely their attack will succeed.

Helpfully for the attacker, most of this crucial information can be found online – often shared publicly by the target. Business websites, personal and corporate social media pages, LinkedIn posts, company news articles, marketing materials and job descriptions can all provide the data they need.

Email enumeration

Once the attacker understands their target, they can move on to stage two: finding the right email address.

Hackers might buy lists of emails from the dark web, use custom code to scour the internet for addresses, or trick people into signing up for a fake subscription service. Then, using custom code, they can sift through these thousands of potential target addresses to find the ones that have the greatest chance of infiltration.

Email addresses are valuable, and for this reason they should be protected at all times. Only share your email when necessary and only to trusted parties.

Antivirus evasion

Antivirus software is a crucial tool for businesses, and even the most well-crafted spear phishing email may struggle to get through this solid shield.

There are, however, ways around it.

For instance, attackers might search for IT or computer-based job roles advertised by the target organisation. These types of role descriptions often include information about the software used in the business – even down to the antivirus suite and version number. This gives the hacker the opportunity to experiment with the software, learn how to tweak their emails and scripts, and ensure their safe delivery to the target’s inbox.

Bypassing firewall egress filtering

In a best-practice security scenario, firewall egress (the outbound traffic from a computer to the internet) rules will prevent any private data from being sent from the victim’s computer to a potentially malicious destination. This is often achieved with a filter that ‘locks down’ the network ports and only ‘opens’ those that are strictly necessary.

The hacker must bypass any potential egress filters if they hope to receive any information back from their phishing attack.

There are several ways to do this, but once these filters have been bypassed correctly, security software and firewalls will find it nearly impossible to detect foul play.

Choosing the phishing scenario

Technically, this is the simplest step of a spear phishing attack. It’s also, however, one of the most crucial, as it requires choosing a fitting scenario or template for their phishing ‘bait’.

One of the most common spear phishing scenarios – favoured for its simplicity and efficacy – is an email from the target’s IT department, requesting the installation of an urgent security patch. It might also come in the form of an emergency request from a relative, or a message from a manager demanding immediate action.

This is where the hacker’s research pays off, as they will know what scenario their target is most likely to click on.

The less security awareness training a victim has, the more susceptible they will be to a spear phishing attack. Regular simulated phishing tests and expert training make life much harder for hackers, as potential victims become adept at recognising and evading phishing emails.

Avoid the junk mail filters

The email has been crafted, the trap is set… all that’s left is for the hacker to ensure their phishing email arrives in their victim’s inbox – not in their junk mail folder.

Experienced hackers will avoid basic email spam blockers by buying and configuring a valid domain from a reputable registrar, such as Bluehost or GoDaddy. This adds authenticity to the email, increasing the hacker’s chance of a successful infiltration.

Pillage and plunder

The victim received the email, clicked the malicious link, and unleashed the payload (the harmful code, program or virus) into their computer. Now what?

Depending on the type of payload, immediate actions will vary but usually the bug will begin by stealing key information. For instance, it might use silent keylogging software to send back the victim’s keystrokes, allowing the hacker to learn their credentials.

Once the hacker has the login information they need, they can access vital data and take control of the victim’s websites, computer, or even their entire network.

At this point, the spear phishing attack has been successful. The hacker is in control and the amount of damage they can inflict is limited only by their own imagination.

Who is the target of spear phishing?

Spear phishing attacks can happen to any business in any industry. Multiple industry reports in 2022 found that over 85% of global organisations experienced some form of phishing or spear phishing attack in the last 12 months.

There are, however, some industries that are significantly more likely to experience a targeted phishing attack. These include:

  • Banks and financial services
  • Technology companies
  • Healthcare services
  • Business services
  • Delivery companies
  • Online shops

Within those industries, targets for spear phishing often include new hires and young people, who are more unlikely to recognise dubious messages or feel pressured to follow orders without question.

CEO’s and high-level managers are also at risk. Known as ‘whaling phishing’, this specific type of spear phishing targets senior staff and can cause devastating financial and reputational losses for a business.

Spear phishing training and awareness

Phishing Tackle’s simulated phishing campaigns and up-to-date training material offer everything your business needs to improve security awareness and reduce your risk of malicious attacks.

Discover how strong your current defences are with our free and automated Click-Prone® Test. Our extensive library of email templates allows you to send simulated phishing emails to every employee in your organisation to test their phishing and social engineering awareness. This means you can identify the users that are most likely to open and click on a phishing email – and are therefore most likely to put your company at risk.

With this data, you can then provide these vulnerable users with the appropriate training material from the Phishing Tackle platform. Our short videos, articles and customisable quizzes will give them the critical knowledge they need to protect themselves and your business from spear phishing attacks.

What helps protect from spear phishing?

There is no single method that can protect you from all spear phishing attempts, but there are steps you can take to help massively reduce the risk of a successful attack.

Follow the 5 steps below to slash your chances of becoming a phishing victim:

  1. DO NOT rely on a single layer of security. Much like musicians in an orchestra, spam filters, firewalls, malware detection and antivirus suites are all good in isolation, but become great by working together.
  2. DO perform regular simulated phishing campaigns and security awareness training. Your employees are your first and most important line of defence. The best security hardware in the world can be undone by a well-meaning but untrained employee – so ensure your staff are regularly tested and trained.
  3. DO regularly check websites like Phishing Tackle’s Data Breaches page or HaveIBeenPwnd.com to discover whether your or a staff member’s credentials have been compromised.
  4. DO NOT send personal or sensitive information via email. This is one of the easiest ways to get hacked.
  5. DO install the latest updates on your equipment and software and make this a mandatory company policy. We know lengthy updates can be annoying, but by not updating your software you are leaving your business open to security vulnerabilities.

Caught in the wild - Real World Examples

An example of spear phishing, known as ‘Whaling’, is a form of “Business Email Compromise” (BEC), this is one of the most commonly used methods of spear phishing as it creates a sense of urgency and panic within its victim. Few employees want to get on the bad side of their boss, hackers know this to be true and use the issue to leverage their campaigns.

The email itself is incredibly simple, intentionally poorly written to convey the “CEO”s need for a hasty response.

CEO Fraud Spear Phishing email asking for a wire transfer
The sense of urgency in the tone of the sender is often enough for an employee to panic, which can lead to disaster

Ransomware - Rare and extremely dangerous

Spear phishing attacks occasionally contain ransomware payloads, installing malicious software onto the victims computer. What the software will do exactly is a mystery to all but the hacker. That is, until the target activates the malicious software and becomes the victim. 

Similar to the CEO Fraud email, this is very simple design. It gives employees the feeling of “Don’t ask questions, just do it” which is exactly what the hacker wants. Instead of requiring further communication and the free release of bank details/wiring instructions, all the victim needs for the hacker to be successful is click the link.

One click of the link and the damage is done...

Success Story - Thwarted by Phishing Tackle

This email, sent to a member of the finance team of one of our clients, contained malicious software ready to be installed on the potential victim’s machine.

Using only first names, it shows the hacker has researched and knows the hierarchy within the potential victim’s organisation. You can also see the language used is casual, instead of formal, which suggests the hacker may have studied publications or other documentation to learn how the two interact. 

As this potential victim had a high level of security awareness training, they didn’t fall for it, instead they used Phishing Tackle’s Phish Hook button to report it to the IT Security team. This saved the company from a potential data breach, a fantastic result.

Spear phishing email with malicious attachment masquerading as a word document
Invoices are commonly used when targeting finance departments

or contact us for more information