What is spear phishing?

These attacks are most often associated with email, but they can also occur via text messages, telephone or chat apps.

The objective of a spear phishing attack is to convince the recipient to send money, divulge sensitive information or perform actions that compromise their (or the organisation’s) security.

Spear phishing scams are low-volume but high-impact. In a 2023 analysis of over 50 billion emails, enterprise security firm Barracuda found that despite accounting for less than 0.1% of all emails, spear phishing was responsible for 66% of breaches.

How does spear phishing work?

Spear phishing is a sophisticated technique where criminals conduct extensive background research on an intended victim and then craft emails that are personal and persuasive.

What’s more, emails often appear to come from known or reputable sources such as coworkers, business partners and upper-level management.

By leveraging personal details and other contextual information, spear phishing emails may bypass standard security measures and exploit the human tendency to trust senders who appear authentic.

Here’s how it works in practice.

Step 1 – Set the objective

Most spear phishing attacks have one or more of the following objectives:

1. To steal money – victims may make a wire transfer to a fraudulent vendor or be tricked into sharing their credit card details.
2. To spread malware or ransomware – which are often hidden in email attachments.
3. To steal sensitive information such as intellectual property (IP) or trade secrets – the fraudster may pretend to be a coworker of the victim and ask them to share sensitive data.
4. To steal user credentials – emails may instruct the victim to update their password with a link that points to a fraudulent website. Once the credentials have been entered, they captured by the bad actor.

Step 2 – Choose the victim

The choice of victim depends on the objective of the attack. In general, however, the victim is someone who can give the fraudster what they want.

If the objective is to steal money, then the victim is someone who has the authority to make payments. If the objective is to infiltrate a network to steal information, the victim is someone with system privileges.

Some spear phishers target new or low-level employees who may be unaware of the risks or at least more easily persuaded. Others will target executive-level employees only (so-called “whaling” attacks).

Step 3 – Reconnaissance

Fraudsters then visit social media platforms and collect information about the victim. They may also browse other sources of publicly available information which, collectively, comprise open-source intelligence (OSINT).

These sources include:

• Websites, personal blogs, forums and news articles.
• Public records such as government databases and legal documents.
• Television, radio, newspapers and related online publications, and
• Research papers, dissertations and academic journals.

In more sophisticated attacks, criminals use machine learning to analyse public data. Others will break into company email accounts to observe the victim and collect even more information.

Step 4 – Crafting the message

Step four is the culmination of the first three steps.

Essentially, the spear phisher crafts a message with details the victim believes only a trusted source would know.

Messages incorporate the information learned thus far plus other cues that lend authenticity to the scam, such as:

• The name and signature of a co-worker.
• Knowledge of a past or current project.
• A company logo and other graphics, and
• Formal, corporate language

Social engineering tactics are also used to pressure the victim. These are particularly effective in spear phishing attacks since fraudsters often impersonate a superior and take advantage of a subordinate’s tendency to respect authority.

Other common tactics include:

• Creating a sense of fear or urgency – a spear phisher may pose as a vendor and claim that payment is overdue.
• Appealing to strong emotions – phishers also use emotions like guilt, gratitude and greed to cloud the victim’s judgement. For example, someone posing as the victim’s boss may promise a reward for helping them out with a last-minute task.
• Pretexting – a broad tactic where a situation (or pretext) is created by an attacker to put the victim in a vulnerable position. This position causes them to behave atypically.

A hypothetical spear phishing example

Sarah Smith is a Senior Financial Analyst at AlphaTech Corporation, while Michael Thompson is the CFO.

Sarah and Michael have been working on a confidential merger between AlphaTech and Beta Innovations codenamed “Project Fusion”.

Last week, the pair discussed financial models and projections in a private meeting.

Sarah receives an email purporting to be from Michael.

From: michael.thompson@alphatechcorp.com

To: sarah.johnson@alphatech-corp.com

Subject: Urgent – revisions to project fusion financial models

Attachments: Project_Fusion_Models_Update.xlsm

Hi Sarah,

Following up on our meeting last Wednesday about Project Fusion, I’ve reviewed your financial projections and made some adjustments concerning the EBITDA margins and the integration costs we discussed.

The board meeting has been moved up to Monday at 9 AM, so we need to finalise these numbers urgently.

Please find the revised financial models attached. Pay special attention to the third worksheet where I’ve highlighted the changes in yellow. Let’s aim to have a brief call later today to go over any questions you might have.

Also, keep this strictly confidential as per our NDA.

Best regards,

Michael Thompson

Chief Financial Officer

AlphaTech Corporation

Email analysis

Here is an analysis of Michael’s email and how certain characteristics conspire to deceive Sarah:

1. Specificity and background information – the email references the confidential project by name and also mentions EBITDA and other costs that were discussed in private.
2. Familiarity – the email appears to come from someone Sarah knows personally and communicates with regularly. Both point one and point two build trust and credibility.
3. Urgency and confidentiality – “Michael” emphasises the need for urgency by bringing the meeting forward. He also advocates for confidentiality in line with company protocols for sensitive projects.
4. Spoofed email address – the email address used by the fraudster impersonating Michael is missing a hyphen.
5. Professional tone – the language and signature match typical corporate communications.
6. Malicious attachment – the attached file Project_Fusion_Models_Update.xlsm is a macro-enabled Excel file that contains malware.

Once installed, the malware grants attackers access to sensitive financial data and other confidential project details.

How can spear phishing be avoided?

Based on the above example, we can see that a few simple checks on Sarah’s part could have prevented the successful spear phishing attack.

The subtle discrepancy in email address is easy to overlook, but an obvious giveaway nonetheless. In addition to email verification, Sarah could have phoned Michael to verify the contents of the email itself. For example, that the meeting had been brought forward.

Failing these checks, email security software that detects and blocks phishing emails (or at least scans for malicious links) is also crucial. It would also be important for AlphaTech to disable macros across its Office products to prevent system-wide compromise.

Otherwise, the business could enable multi-factor authentication (MFA) to prevent criminal access and encrypt sensitive data.

Security awareness training is also a worthwhile investment to ensure that employees recognise the warning signs of a spear phishing attack before it has a chance to cause damage.

Summary:

• Spear phishing is a targeted cyberattack where fraudulent emails or messages are sent to specific individuals or organisations. Often, criminals adopt the identity of someone who is trusted by (or familiar to) the victim.
• Generally speaking, spear phishing has four distinct phases: set the objective, choose the victim, reconnaissance and crafting the message.
• Like other types of phishing, spear phishing relies on various social engineering tactics to be successful. To thwart an attack, employees need to be aware of these tactics and make a habit of verifying the sender or contents of an email.