Spear-phishing is one of the highest targeted forms of phishing attacks in the cyberattack landscape.
Previously, we’ve shown other forms of phishing in previous articles, and most of them have in common the fact they have a mass approach, sending the same email to thousands of targets, for example.
However, Spear-Phishing has a more sophisticated and researched method, as we’ll see in this article.
What is Spear-Phishing
It’s 9 am. Michael is the Sales Regional Manager for a systems integrator. He takes his coffee cup and goes to his desk at his home office to start the workday. Then, Michael fires up Outlook and sees Ian Downes (CEO) has a message for him. Ian wants Michael to see new guidelines for home office workers, so he sent a document.
Michel opens the GDocs file with the company’s letterhead, a few recommendations on remote work, and a link to fill an internal survey on the subject, claiming it’s mandatory. He clicks on the link, which asks for his GSuite credentials to access the survey.
He just gave his credential information to an attacker, who now has access to all his files, those private and shared with him.
That’s the perfect Spear-Phishing scam: a common type of cyberattack where criminals adopt a targeted approach to tricking an individual into disclosing sensitive information or undertaking actions such as initiating wire transfers.
Spear-phishing is a highly targeted approach because the perpetrator would use highly personalized information about the target to convince them it’s a legitimate message.
Phishing vs. Spear-Phishing
As we saw in the example above, Spear-Phishing involves dedicated research on the target company and users, including names, visual details, corporate language, hierarchy, etc.
Customization is the most significant difference between this attack and common phishing scams. In the latter, attackers cast a wide net with generic email and page templates, hoping to succeed in the volume itself. Instead, the approach is surgical, detailed, and crafted to impersonate real people inside a company on Spear-Phishing successfully.
While both can generate the same losses for any organization, Spear-Phishing affects critical people in organizations, in departments such as financial, HR, and others that hold sensitive information.
How Serious is Spear-Phishing?
Just to give you an idea about the seriousness of these attacks, Data Room company Firmex found that this is the most successful form of attack that results in data exposure and accounts for 91% of all attacks.
Bear in mind these data come from a pre-pandemic world, without the added component of remote work. In our scenario with Michael, he was not at the office, where he could feel something is wrong by just talking to a colleague: “hey, they sent another survey; what a bore, huh?”. Being physically distant from the office allows it to be even more successful.
Types of Spear-Phishing Attacks
Whaling is the most famous form of spear-phishing. Since it has a more crafted approach, attackers must carefully select targets to maximize returns. So, whaling – with its “high-value target” philosophy, is commonly used.
Some experts talk about CEO fraud, which is itself inside whaling since it has the same mechanics. Still, it’s worth mentioning because it focuses on attacks based on impersonating a high-level executive.
How to Avoid Spear-Phishing?
A recent survey from GreatHorn points out that users fail to identify nearly half of phishing attacks. It happens because employees lack cybersecurity awareness and because cybercriminals do their job, creating highly customized emails that resemble real ones. So, it’s essential to highlight the roles of organizations and users to avoid the consequences of these attacks.