While “phishing” has entered the vocabulary of most email users, the concept of spear phishing is one that’s more elusive to the general public. It is a rarer type of cyber attack, but attention must be paid to this increasingly dangerous form of email crime. Both the FBI and the U.S. Secret Service have warned that 2015 could be the “year of spear phishing” – in June, the U.S. Secret Service issued a bulletin, warning that they are seeing a “significant increase in the frequency, sophistication, and fraud losses” associated with the rise of spear phishing attacks.
So what exactly is spear phishing and why is it progressively rearing its ugly head?
Where phishing scams involve a broad and varied range of targets, spear phishing hones in on a specific group, organization or even person. A very targeted email scam, the sole purpose of spear phishing is to obtain unauthorized access to sensitive data. This could be theft of intellectual property, financial data, trade or military secrets – generally high-value, confidential data.
Like phishing, spear phishing is an attack typically carried out via email, and could be sent with either a malicious attachment or with a link to a malicious website. However, spear phishing emails are much more targeted, counting on familiarity to succeed. Spear phishers are much more sinister than phishers – for example, they will likely know enough about you to personalize the greeting to Hi [First Name], instead of “Dear Sir”. Cyber criminals may know details such as where you work, or have information about your recent online purchases. Referencing these details in their email will make the message seem legitimate, making the victim more likely to give the information the attackers are after.
Here are a few examples:
- The most common spear phishing emails seemingly come from the CEO and are sent to the CFO, instructing the CFO to wire money related to some kind of super-secret operation, over to an unfamiliar account. Alternatively, Financial Controllers at the company receive similar spoofed emails purporting to come from their CFOs.
- A cybercriminal looking for intellectual property data could fake an email from a senior company executive and send it directly to a more junior staff member requesting copies of a document they need urgent access to. Given the urgency of the request, once the staff member realizes that the executive didn’t really send the email, the documents have already been compromised. The spear phishing email could link to a file share or other document storage tool used to view the requested documents, which can then be used to infiltrate the network and conduct other thefts or harmful acts.
With the growing availability of platforms through which attackers can leverage personal information, such as social media sites, potential victims are increasingly easy to identify and target.
As hackers continue to launch more sophisticated spear phishing attacks, the deployment of the DMARC standard for email authentication will only grow as organizations look to reduce the potential for email-based abuse. DMARC can help stop criminals spoofing a brand’s own domains and combat spear phishing by identifying and blocking fake e-mails that appear to be from trusted and even internal e-mail delivery domains.
Anyone who wants to take a proactive approach to eliminating all types of malicious email, including spear phishing, should investigate and implement DMARC in order to protect their business.