What's A Spear-Phishing Attack and To Protect Yourself From It

Do you know what is the most favorite methodology of hackers to break into your security? These are not highly sophisticated zero-days or Advanced Persistent Threats (APTs).

The hackers like the easiest way to the reward - the low-hanging fruit.

They can get your information by simply asking for it. How do they do it? Threat actors hack your information by hacking your emotions and trust! They make you give away sensitive information or click on a malicious link instantly through emotional manipulation.

Such attacks are called social engineering attacks. A phishing attack is one of the most common and most lethal social engineering attacks. In phishing, attackers design emails to gain sensitive information from the victims or launch malware in their systems.

In this article, we will learn about a special type of phishing attack targeting organizations: spear phishing. 

You may wonder how spear phishing is different than regular phishing. Spear phishing is specifically designed against the target organization using the information of their employees.

These attacks are highly effective as the attacker finds the openly available information of the organization through social networking websites and designs the attack accordingly. Spear phishing emails not only appear to be relevant and authentic, but they also have an impression of urgency, making victims respond immediately.

Organizations become victims of such scams easily losing millions to hackers. Earlier this year, an Indian subsidiary of Italy-headquartered organization Tecnimont SpA lost millions due to a spear-phishing attack from Chinese hackers.

The hackers sent emails to the head of the Indian subsidiary through a spoofed email ID of group CEO Pierroberto Folgiero. This email asked for immediate fund transfers for a secretive project. So the threat of spear phishing to the organizations is real.

Small and medium businesses are more prone to such cyber attacks. To ensure the cybersecurity of your business, it is imperative to understand how the attackers design and carry out such scams. 

There can be various kinds of potential threat actors - hackers, hacktivists, business competitors, even state actors can be involved in sabotaging your business.

They carry out their attack in a systematic manner which includes research work, crafting bait emails, and waiting for the catch to infiltrate your security. Let’s have a look at each step in detail:

The threat actors work as spies on the internet. They try to gather all of the information of an organization and its employees from social media platforms.

Take an example: An attacker makes a fake account on LinkedIn and connects with most of the employees of an organization. She also gathers information about the employees such as email addresses and phone numbers from the company’s website.

The hacker then selects a few potential victims and finds more information about them on other platforms such as Facebook, Instagram, and Twitter. After gathering relevant information, she moves towards the next step - designing a spear-phishing attack.

There are various ways to design a phishing email. For example, the attacker can make a spoofed ID of a senior executive. This email ID will look almost similar to the original ID.

Hackers can send spear-phishing emails to a number of your employees. The targeted employees are asked to open a malicious attachment or click on a link that takes them to a spoofed website. The malicious website will ask them to provide passwords and other private information.

Spear-phishing can also trick the employees into downloading malware after they click on links or open attachments in emails. The content of the email may contain an element of urgency. For example, the attacker drafts an email like this: “Urgent response required. Check the attachment for detail”. 

After sending the emails, attackers wait for the response. One response from an employee can make their attack successful. For example, if even one of the employees downloads the malicious attachment, the malware can sabotage the organization’s network.

Phishing emails are designed on a certain pattern. If we observe closely, we can identify them easily. Following are a few essential elements of a phishing email:

Phishing emails play with your emotion. Sometimes they have a sense of fear in them. For example: “Your Facebook account is hacked! Click the link to retrieve your account”. They may also have a sense of excitement or surprise.

For example: “Congratulations! You have won a lottery! Click on the link for details.” They may also play with your empathy. For example: “COVID-19 patients need your immediate help. Please donate.” Such emails are highly suspicious. Report them and delete them.

If you observe the above examples closely, you will notice that they all had an air of urgency. The victims of phishing emails are fooled into responding immediately. 

This is what the hackers do - They manipulate your instinct of trust and simply ask for your personal and financial information. Do not give your information by email, phone call, or SMS.

The links provided in the phishing email are not secure. The best way to identify phishing links is by using secure phishing detection services such as Google Transparency Report. 

Spear phishing is a real threat to your business. You can protect your business from such scams by following these best practices:

The best way to defend your company from spear-phishing scams is education. The employees of your company are the first line of defense against phishing attacks. Well aware employees can detect and report such scams instantly. There should be a systematic mechanism of reporting phishing scams against an organization to all employees so that they become alarmed against the threat. 

Offensive security mechanism requires pro-active attacker approach against cyber threats. For example, security experts should design and launch phishing scams within the network of an organization to detect loopholes and improve security awareness among the employees.

This includes various defense tools such as firewall, endpoint security system, data protection tools, anti-malware, and network intrusion detection systems. All software used by your organization should always be patched to enhance cybersecurity. Furthermore, there should be a solid incident response plan to mitigate the impact of such attacks.

Employees must be trained against threats on social media. It is not safe to share your personal and financial information on social networking websites. Furthermore, revealing your company’s private information on social networking websites can be a huge breach in your organization’s security. All employees must be aware of the social networking code of conduct.