Decoded: Spear phishing
Spear phishing is a favourite technique for many cyber criminals and can be used to gain access to systems or launch damaging ransomware attacks. Learn all you need to know about staying safe.
Spear phishing is a technique attackers use to gain unauthorised access to an organisation’s network.
Scammers will typically send an email disguised as an innocuous piece of company business to a target. Once the victim opens the email and unwittingly follows the instructions it contains, the attacker will be able enter the user's network. They can then wait for the right moment – sometimes months later – to commit any number of crimes.
How does it work?
Like many scams, spear phishing relies on social engineering to be successful.
Spear phishing emails usually claim to contain documents that the recipient must review urgently, such as figures they requested or an invoice that they need to approve.
The email often claims these supposed business documents are time-sensitive and important, and need the victim to click on a link or open an attachment in order to access them. The email may also ask the target to enter their login details before they can view the document.
Once the victim has followed the attacker's instructions, rather than receiving the documentation they had hoped for, the target will instead have unwittingly handed over their corporate passwords or downloaded malware to their network. Both are means for the attacker to access the network and the data within.
How is spear phishing different from other types of phishing?
'Everyday' phishing is a numbers game: the phishers send out as many generic emails as possible in the hope that, even if only a tiny proportion of recipients respond, the financial gains will still be significant.
Spear phishers, however, often have particular targets in mind, and will study their intended victims in order to craft more specific emails. By garnering even a few facts about a person from their social media profiles, an attacker can personalise their phishing email to the individual's interests – including their name in the email and adjusting the title of the attachment to reflect an important matter in their industry, for example. Professional social media accounts can also provide details of work relationships and so the scammer can spoof the sender's email address to make it appear to come from a colleague.
By making the spear phishing email more like an everyday work communication and less like the traditional badly-spelled, non-specific phishing email, an attacker may be able to overcome an employee's resistance to being phished.
Why is spear phishing carried out?
There are several reasons. As with standard phishing, a spear phisher may be seeking to gain bank or credit card details to steal money – a corporate account can be rich pickings compared to a consumer account just before payday. Equally, it may be a means of installing ransomware, which can then be used to extort money from the victim.
Spear phishing may also be a way of gaining access to information the company holds, such as customer contact details, which can be sold on or otherwise exploited by online criminals. It can also be used to get access to a more important target: a compromised corporate email account can be used to send a phishing email to a CEO, in the hope of getting access to more valuable information.
For those in sensitive industries, the spear phisher may be after more specific data, such as information on a product pipeline, which may have a monetary value when sold to rivals or used for other ends, such as manipulating the stock market.
How can you protect against it?
All the standard security best practices apply here: keeping security software up to date, patching systems, ensuring emails are scanned before they reach users, and employing analytics to detect any unusual network behaviour.
And, given how staff missteps are often the best way an attacker has of entering a network, make sure that staff are fully trained on how to identify spear phishing emails and know never to give away their credentials.