Norton UK Blog
What is Spear Phishing and How does it Operate?
Spear phishing may sound like something Bear Grylls does at the weekends but it’s actually a pretty sneaky form of cyber-attack. Most people will be familiar with phishing – and spear phishing is like its smarter little brother...
Imagine that the big brother is sending out lots of random emails to people, asking them to click on a nasty link or trying to squeeze some sensitive information out of them. The little brother, on the other hand, is doing research on a few handpicked people and then sending them personalised emails that are much more believable.
Spear phishing is essentially a more sophisticated version of phishing, with hackers impersonating an associate, friend or a service provider like your bank or PayPal. They use a recognisable name to lower your defenses and ask you to click on a malicious link or to supply sensitive information like passwords, bank details or social security numbers.
Spear phishing attacks tend to be directed against a specific individual or organisation rather than aimed at a wide audience of potential victims. It utilises tactics like sender impersonation, email personalisation and inside information to succeed. It’s often just the preamble to the real attack so you might not realise that you’ve been duped until it’s too late.
So what is spear phishing?
Spear phishing typically uses faked correspondence from friends or associates to get someone to unwittingly download a piece of malware or to release sensitive information. The first point of contact with a potential victim is usually through email or social media. It’s all about setting a trap and waiting to see if a victim will bite.
Hackers can focus their attention on specific employees or individuals with a discerning approach to entrapment. If the victim falls for the trap, it tends to pave the way for a bigger attack on the person or on their employer.
If you’re the subject of one of these types of spear phishing attacks, the attacker has most likely done their homework on you. They’ll know your name, your email address and they’ve probably trawled through your online accounts to find personal information about you.
They may have checked your social media posts for information about a recent purchase, to look for recent travels, or to discover the names of your friends and colleagues. With so much information online these days, it’s easier than ever to draw up a rough profile of a target’s activities or associates. This information then offers attackers an opening they can exploit.
Spear phishing attacks on an organisation target the weakest links in its security chain – its employees. A typical attack might target a broader group of employees with what looks like a work-related email. So you might get a work email from your “supervisor” that contains a link or an infected attachment that could expose your entire network to attacks. Alternatively, they may look to “check” logins or passwords.
A “good” spear phishing attack will use a trustworthy individual or organisation as a cover, include enough details to make it seem legitimate, make a plausible request or include a good piece of bait. Email or social media accounts are typically used to make the approach.
Security experts suspect that a spear phishing attack may have been behind a recent hacking of the US State Department. The theory is that the breach came about after hackers successfully targeted young employees through their social media and email accounts. This is an alarmingly easy way for state-sponsored hackers to infiltrate the security systems of rival governments or countries.
The most recent Norton Internet Security Threat Report showed an 8% increase in spear phishing attacks in 2014, with 83% of companies with more than 2,500 employees being targeted by spear phishing attacks. Small and medium businesses also saw attacks increase by 26% and 30% respectively.
The report also found that spear phishing attacks are starting to ditch spammy mass mails to large target groups in favour of selecting fewer recipients with a more co-ordinated approach. Taking more time to plan fewer attacks can reap more rewards in the long run.
So why do people fall for them?
Most IT workers are sick of telling people not to click on suspicious links. Their department might intercept most risks before they reach a person’s inbox but occasional mails still slip through. Most people know not to click on dubious links. It’s internet security 101.
Yet there seems to be a “Don’t Press the Big Red Button” quality to these links. People know they should avoid it but they’re still tempted by that enticing attachment, the warning about their bank account, or an invitation from a “friend.”
Spear phishing relies on the fact that people are curious and can take things for granted if they look convincing. Like most confidence tricks, it uses established psychological tricks because they’re effective. If it’s not broken, why fix it?
Ultimately, there’s a reason that attackers like to use this form of attack to infiltrate organisations or companies. It’s much easier to exploit human curiosity or gullibility than it is to hack a complex security infrastructure. Why waste time on a full frontal assault when it’s much easier to sneak in the back door?
Another development is the move away from infected executable files (ending with an .exe) as the main source of attack. Malicious document attachments are now the most common form of attack, being used in 39% of attacks in 2014. Hackers can use docs, PDFs, JPEGs or other innocent looking attachments to trick people into clicking – which can lull people into a false sense of security.
The reason that spear phishing attacks are on the increase is because they work. Directing an attack on a smaller group and taking a tailored approach is more likely to achieve a result than sending out lots of spammy cyber threats to a huge audience.
Hackers have got very good at creating emails that look like they’re legitimate. In fact, some of them look authentic enough to slip through spam filters. This is a much more sophisticated approach than the infamous foreign prince scam so people need to be constantly alert to the threat.
What can you do to avoid it?
The best way to stay protected is to know what to look out for in a typical spear phishing attack. If you get a letter from a bank asking for passwords or sensitive information, contact the bank directly rather than responding to the mail. No financial institution is going to ask you for those details via email.
The same thing applies if a “friend” gets in touch with a strange request or a message that contains a suspicious link. If you’re on social media, the chances are that you’ll come across this type of thing at some stage. At least one of your friends will click on something they shouldn’t and end up generating a compromised email or message that arrives in your inbox.
The other obvious piece of advice is to avoid being too open on social media. It’s no harm keeping your friends updated but just consider whether your posts could be used against you. Be especially careful when posting to public accounts like Twitter and Instagram.
Be wary of links that look suspicious or have unusual URLs. One trick is to hover over a URL without clicking it to see where it will take you. It will show you the full address in the bottom of your browser. If you’re still in doubt, try contacting the sender.
The most obvious way to protect yourself from spear phishing is to get good security software to give you a solid defence against attacks or infections. Make sure that you install updates to your browser and OS in a timely manner to ensure that security patches or updates can be applied.
Common sense is your first defence against most spear phishing scams. If something looks dodgy or sets off alarm bells, then trust your instincts.
Find out more about online threats and how to avoid them: