Email continues to be one of the main methods for hackers to begin the breach of an organization. However, as employees have been trained to spot suspicious looking emails hackers have increased the sophistication of their approach. By leveraging every means possible to make the email and link destinations appear legitimate, hackers make it difficult to prevent these exploits.
What is Spear Phishing?
Generic phishing emails typically target many email addresses and have a lower return on investment – they’re easier to spot, and users will probably recognize them as suspicious.
Spear phishing campaigns target specific people in an organization. These malicious actors research high-value targets (for example, people with advanced permissions on the platform or account managers for celebrities) and send trustworthy emails to request money or information.
To make their emails look trustworthy, they use domains similar to the organization they’re targeting, maybe with one letter in the middle as the only difference. In some cases, a valid domain of the organization can be hijacked and an email with a legitimate domain can be sent.
Using these similar or legitimate domains, threat actors might email someone in the payroll department and ask to change direct deposit details to a new routing and account number. They can pretend to be an executive and ask for proprietary information from another manager. Or they steal social media credentials and pretend to be President Obama seeking bitcoin donations.
With spear phishing, email continues to be a target for hackers, now using highly researched processes to infiltrate organizations.
impact of spear phishing
Just with those examples, you can see the severe impact of a spear phishing campaign. But large corporations are not the only targets. Spear phishing campaigns also target trusting employees at non-profits and churches to reroute funds.
types of spear phishing campaigns
While each spear phishing campaign is highly researched, you may notice a few that specifically target high-level executives and directors. They look for employees with access to bank accounts, financial records, or intellectual property.
Not all two-factor authentication apps are malware, but they could be when they come from an unsolicited email. With the increase of two-factor authentication comes the misuse of the tool. The attacker may send a spoof email with a link to download the necessary app for quick two-factor authentication on a bank website, but this app gives access to the user’s phone and all of their login credentials.
A watering hole attack is a specific type of spear phishing targeting the hobbies and interests of the user. The hacker uses networking sites to discover memberships or frequented websites of their user. Then, they hack that less-secure website, waiting for the “phish” to visit and download the malware. Or they send an email with a malicious link from that website to reset a password.
Typically, the goal is to install a keylogger on the computer so they can access the organization platforms with a high level of authorization.
While most internet users know not to download attachments from emails, hackers spoof email addresses of existing employees or the legal team to gain access to devices. Whether an email from a legal team with infected PDF documents attached or an excel file from your accounting team, downloading documents from any source has become difficult.
protecting your business from spear phishing
Even with such sophisticated targeting and motivated attackers, your company can still resist spear phishing campaigns.
Strong Spam Filters
Blocking spam from other countries (that you don’t do business with) or alerts when an email address is outside an organization can significantly reduce the number of effective spear phishing campaigns.
While you will never get through a day without emailing an attachment, having quick file-sharing policies in place (when to use a link, permissions for file sharing, where to find your team’s files) can reduce the number of infected files downloaded onto company devices.
When an executive requests a file for seemingly no reason or an employee sends new routing and account numbers of their paycheck, team members should be alert. While it may not be a specific policy, the user should have a quick phone call or chat to double-check in person before sending. Some sensitive data should be entered by the user themselves, not through the payroll department (routing and account numbers can go through a payroll dashboard instead of email).
Simply reminding employees and customers about the threat of spear phishing can keep them wary of suspicious emails.
Find out if your online presence has been compromised with continual Ecosystem Security Scans from Cyberpion. This dashboard will alert the IT team about any new or potential vulnerabilities, so they can respond before there’s a breach.
What do you really know about the security posture
of your digital ecosystem?
See the risks you’re exposed to with a vulnerability assessment.