Spear phishing is a type of phishing attack in which the attacker carefully personalizes their email based on diligent research. Where a typical phishing email is designed to be blasted to as many people as possible, a spear phishing email is specifically written with a single recipient in mind.
In the time it takes to craft and send one spear phishing email, a scam artist could shotgun blast a one-size-fits-all phishing email to hundreds of recipients. So why bother? Spear phishing attacks are normally reserved for high value targets, such as business and government organizations. But they can target individuals as well, especially if they think that person has a high chance of giving them a big payout.
What are spear phish going for? Just like other phish, the point of nearly all spear phishing attacks is to make money. They might be looking to win over your trust just long enough for you to give them money directly. Or they might be after your password or sensitive info so they can ransack your bank account, your company’s accounts, or valuable customer data.
In this article, we’ll go over a quick example, dive into details on how spear phishing works, and offer some tips on how people and organizations can protect themselves from spear phishing attacks. Read on.
Spear Phishing Example Email
Because spear phishing emails are highly personalized, no example email is going to be a 1-for-1 fit unless it’s written with one specific reader in mind. For the sake of our example, assume that the hypothetical scam artist has done their research and discovered his target executive’s son was recently in a fight at school.
Subject: Neil Murphy behavioral issues
Dear Mr. Murphy:
Following recent behavioral issues, we’ve submitted a case record into our ERIS documentation system. You can click here to log into the portal and review the file.
Once you’ve seen the case file, please book a meeting with me at your earliest convenience so we can discuss next steps. This can also be accomplished through the portal linked above.
Happy to answer any questions.
School Counselor, Washington Township K-12
Why is this effective?
As you can see, this is a highly effective spear phishing attack. They’ve done their research and crafted an email the recipient was already expecting – and probably dreading.
And this is an emotional thrust to the heart. Any caring father would feel something when they read this. Whether that’s nerves, anger, frustration, disappointment – or all of the above. Strong emotions cause us to lower our guard, making the recipient all the more likely to react without thinking twice.
What’s more, the address looks authentic – the “from” line matches the school district in question. Beware though, as email addresses are easy enough to fake.
So how could you spot the spear phish? The most important thing to look for is the link. If you look closely, you’ll notice that it doesn’t link to the website it claims to link to. That’s a big red flag, and you should be especially careful with any website that asks you to log in – that’s where they nab your password, which they will then try to use to log into any of your accounts.
How Spear Phishing Attacks Work
The standard phishing attack is simple enough: draft the email, blast it out to as many people as you can, and see who bites. Spear phishing attacks are more involved, and proceed in three steps: research, the email itself, and follow up.
Step 1: Research
Research is the step that distinguishes spear phishers from the other phish in the sea. Instead of firing blindly, the spear phisher carefully researches their target so they can personalize their attack.
These days, spear phish can get a lot of mileage out of Open Source Intelligence (OSINT). OSINT refer to any information that’s publicly available. Instead of digging for information, you can find out quite a bit by just checking someone’s social media profiles and searching for them on Google.
Think about what someone could learn just from snooping on Facebook: your family, where you’re from, where you went to school, your job, hobbies, interests – the list goes on.
That doesn’t mean spear phish never dig deeper for info. But most rely on what’s freely available, and most of the time? That’s plenty.
Step 2: The Email
Once they’ve finished their research, the spear phisher writes their attack email. Usually they exploit some combination of the following:
- Matches expectations
- Exploits emotions to lower your guard
- Tricks you via impersonation
Let’s touch on each of these briefly.
This is where the research pays off. Once they know about their target, they can craft an email that matches exactly what that person would expect to receive. That might be a perfectly timed college reunion invite, an email playing off your department’s big initiative for the quarter, or, as in our example, an email pertaining to a recent event.
Because they line up with their target’s reality, they can look pretty unassuming in your inbox. This isn’t some fake Nigerian prince writing out of nowhere – instead, the spear phisher sends exactly the email you would expect to receive.
Although a spear phish researches as much as possible about their target, a typical email revolves around one key theme. In the above example, they’re writing about a specific incident. The attacker might also seize on one of your company’s ongoing campaigns or concerns. In the high profile DNC hack of 2016, Russian hackers even leveraged an ongoing anti-phishing campaign to phish their target with a fake “change your password” notice from Gmail. Very meta.
Phish of all stripes like to exploit people’s emotions to override our natural sense of caution. Think about the above example – if it was about your kid, would your first thought be to closely examine the email itself?
Most frequently, phishing emails will play off fear, with themes of legal, medical, or financial trouble. They also love to create a sense of urgency – what better way to get someone to click without thinking than to threaten to lock them out of their bank account if they don’t act within the hour?
The art of impersonation
Finally, spear phishers will go to great lengths to make you think they’re someone you can trust. From graphics to the message text to the email address itself, there’s little they can’t fake.
You can sometimes tell a phish by the “from” address. But that won’t necessarily protect you – it’s surprisingly easy for someone to send the email from any address they want, in a tactic known as email spoofing. Check this example:
This is a spoofed email I sent to myself from a fake whitehouse.gov email address, with little to indicate it’s fake. A legit email will include “mailed-by” and “signed-by” lines listing the domain that sent the email. But how often are you prepared to check for that?
Even with those lines, you can’t be absolutely certain who wrote and sent an email. When a spear phish compromises someone in an organization’s account, they can then use that email address to message other people within the organization. At that point, the spear phish is actually sending the email from within the organization’s email domain, and there’s no way to tell who really sent it. Scary.
Each of these three tactics is potent on its own. Many spear phishers will use all three to write the perfectly crafted email that matches expectations, exploits emotions, and seems to come from someone you know. So how can you protect yourself from getting spear phished in such a scenario? More on that in a minute.
A dedicated spear phisher doesn’t stop when they hit send. They’ll often call their target to follow up, in a practice known as voice phishing, or vishing. In our example up top, someone might call claiming to be a school counselor, and push their target to log into their fake portal.
And just because a spear phisher has compromised someone’s password doesn’t mean they’re done phishing. One mid-level account access might not be enough on its own to secure the big haul they’re looking for. So they’ll use that account to send more spear phishing emails, until they get the high level access they need to score big.
This is often called whaling, the pursuit of CEOs and other high value targets. Why eat the phish when you can use it to bait a whale?
How to Protect Yourself From Spear Phishing Attacks
So how can you protect yourself from a carefully targeted spear phishing attack? Even though the tricks and tactics outlined above can be powerful in the hands of an experienced spear phisher, there are great ways to stay vigilant and safeguard yourself from spear phishing attacks.
Watch for Links
As we discussed above, you can’t always trust the sender is who the “from” line says they are. However, if you look carefully, you can verify a URL.
Never click a link in an email directly. Instead, right click on it, and paste it into your browser’s navigation bar. Don’t hit enter right away! Take a minute and look it over. Look closely, as scammers like to create clone websites with URLs that closely resemble the sites they claim to be. A difference between letters such as “rn” and “m” is just a few pixels, and can be easy to miss unless you look closely.
Better yet, just go to the website directly. This works best if it’s a website you go to normally, such as your bank or a company login page. If you type in the URL yourself, there’s no chance you’re getting phished.
Even if you’ve already clicked on an email link, it imght not be too late to catch yourself. If the link sends you to a login page, you can still take a moment to carefully examine the address bar to ensure you’re on the right domain.
Watch What You Post Online
Any information you publish about yourself can be used by a prospective spear phish to scam you. Don’t make their job any easier than it has to be. If you have personal information openly available on Facebook, for instance, you should probably just take it down. Do you really have a good reason to have info like your hometown, graduating class, and workplace online? If not, delete or hide it.
Spear phishers will also study your posts to find recent events they can use in their attack emails. I would limit who can see your posts to immediate friends. It’s worth going back over your friends list in full, to see if there’s anyone on there you don’t recognize. If you don’t know somebody, you should not be friends with them on Facebook.
Manage Your Passwords with Care
Many phishing attacks lure their victims into divulging passwords. But scammers seldom stop with the account it’s associated with, and will often try that login on every account they can find.
By using a unique strong password for every login, you can significantly reduce the impact if one of your passwords gets lifted. Many cybersecurity experts even advocating changing your passwords every three months. That probably sounds like a lot of effort, and might require you to memorize 100 or more passwords every year.
Fortunately, the best way to securely manage passwords also saves you time. Just use a password manager to create and manage unique, strong passwords across your accounts. It might sound risky using one keyring to manage all of your passwords. That’s why you’ll want to choose wisely and carefully guard your password manager of choice. You can see a few options in this article on Wired, and I encourage you to conduct your own research.
How Organizations Can Protect Themselves From Spear Phishing Attacks
Because spear phishing is so time intensive relative to other phishing tactics, spear phishers tend to focus on nabbing high-value payouts from organizations. If they successfully target an organization, they could nab the personal information of thousands or even millions of customers in one heist. Scary stuff.
The above tips apply to organizations as much as they do to individuals. But the below are especially important for organizations hoping to protect themselves from spear phishing attacks.
Phishing Awareness Training
The best way to protect your organization is by maintaining vigilance and awareness across all levels of an organization. A spear phish only needs to fool one person to penetrate a company, so you really are only as strong as your weakest link. And because executives are the highest value targets, it’s crucial that they’re included in your training program, along with everyone else.
You can read more about Phishing Awareness Training here.
Follow Up and Test
A strong phishing awareness training isn’t a one-and-done affair, and should be reinforced throughout the year. Follow up with reminders and education so that your team stays vigilant.
To really know how safe your organization is, you’ll need to test: that means sending fake phishing emails to see if anyone falls for the bait. Remember, the goal isn’t to punish your team or call any one team member out. It’s to keep your team vigilant and assess how well protected your company is so that you can follow up accordingly.
Give People a Clear Way to Report Suspicious Emails
What happens when a team member receives a suspected spear phishing email? If your company doesn’t have a clear process, it’s likely they’ll simply forward the email to someone who might or might not be the right person. And there’s a very real chance that person will accidentally click the link, download the file, or otherwise fall for the phishing attack. It happens.
That’s why it’s vital for organizations to have a clear process in place to report suspicious emails. You’ll want to make it easy, so that people will actually do it – don’t make them call anyone to report an email. The easiest way to do this is to set up a distinct email address, such as firstname.lastname@example.org. The important part is that you have a process in place so that people don’t forward scam emails, thus increasing your company’s vulnerability.
Don’t Ask For or Give Out Sensitive Information Via Email
When it comes to passwords or other sensitive information, you should be especially careful. If someone emails you asking for login information, don’t just email them back. Walk over or call that person directly to verify that they sent the email. If they did, you can give them the login information yourself.
Remember, if one person’s account is compromised, a spear phish can then email anyone within a company as that person. They can also just search that person’s email inbox for “password” and “username” to see if that person has asked for or received their password via email. If someone ever does email you a company password, make sure to delete it as soon as you’ve learned the login information.
Two Factor Authentication
Two factor authentication is the best tech tool by far to protect passwords within your organization. With two factor authentication, you’ll need more than just a password to log on to your accounts.
In its most common form, you’ll be texted a one-time keycode to enter in. That way, no one can access your account unless they have your phone in hand. It might take a few more seconds to log in, but it’s fell worth it to protect your accounts – and those of your company.
Two factor authentication is a great defense, but it’s not impenetrable. As such, it should exist alongside awareness programs, not in place of them.
The Bottom Line
Because spear phishing attacks are so carefully researched and personalized, they are some of the hardest phishing emails to detect and avoid. The best way to stay safe is to stay aware and vigilant. With an organization, that means bringing everyone on board to protect your company from phishing attacks.