What Is Spear Phishing?
Spear phishing is a cyberattack method that hackers use to steal sensitive information or install malware on the devices of specific victims. Spear-phishing attacks are highly targeted, hugely effective, and difficult to prevent.
Hackers use spear-phishing attacks in an attempt to steal sensitive data, such as account details or financial information, from their targets. An attack requires significant research, which often involves acquiring personal information about the victim. This is typically done through accessing social media accounts to discover information like their name and email address, who their friends are, their hometown, employer, recent purchase history, and locations they visit. Attackers then disguise themselves as someone their victim trusts, usually a friend or colleague, and attempt to acquire sensitive information via email or instant messaging tools.
The threat of a spear-phishing attack is highlighted by 88% of organizations around the world experiencing one in 2019, according to Proofpoint’s State of the Phish report. Of those organizations, 55% suffered a successful spear-phishing attack, while 65% of U.S. organizations were victims to spear phishing.
How Does Spear Phishing Work?
A spear-phishing attack often hinges on weeks or months of research to increase the likelihood of success. A hacker may research which person in a company has access to the most valuable company data or the most vulnerable segment of the company's network.
For instance, someone in the accounts receivable department may have access to customer payment information. Or someone who works in HR may be able to access sensitive employee personal data like social security numbers. The attacker's objective is to leverage someone's position or daily responsibilities to get the biggest possible payoff from their attack.
Then the hacker sends an email or a series of emails with:
- A link to a spoofed site that asks for the victim’s personal info or access credentials
- Malicious links that, when clicked, download malware onto the victim’s computer
- Requests for usernames and passwords that would give the attacker access to sensitive areas of the network or social media accounts
Spear Phishing vs. Phishing
A common spear-phishing definition used throughout the cybersecurity industry is a targeted attack method hackers employ to steal information or compromise the device of a specific user. Spear-phishing messages are addressed directly to the victim to convince them that they are familiar with the sender. The attacks require a lot of thought and planning to achieve the hacker’s goal.
Phishing is a broad term for attacks sent to multiple people in a bid to ensnare as many victims as possible. Phishing attacks involve a spoofed email that purports to be from a genuine sender or organization. The message contains a link that, when recipients click on it, prompts them to enter their personal information and then downloads malware onto their device.
The key difference between these two attack methods is spear-phishing attackers go after a specific individual, whereas phishing takes a blanket approach targeting multiple victims. Spear-phishing attackers methodically target a victim to use them as a way into an organization or for stealing information, while a phishing actor does not bother who their target is. They just want to steal as much information as possible or cause damage.
Spear phishing requires more preparation and time to achieve success than a phishing attack. That is because spear-phishing attackers attempt to obtain vast amounts of personal information about their victims. They want to ensure their emails look as legitimate as possible to increase the chances of fooling their targets. The highly personalized nature of spear-phishing attacks makes it more difficult to identity them than prevent widescale phishing attacks.
Spear Phishing and Whaling: The Differences and Similarities
Whaling is a form of spear phishing that specifically goes after high-level-executive target victims. It uses the same approach as regular spear phishing, in that the attacker purports to be an individual the recipient knows or trusts. However, whaling often requires even more time and investment in researching and crafting highly targeted messages than spear phishing.
A whaling attack usually targets people with direct access to financial or payroll information or are responsible for making payments. The attacker does the same type of research they would do for a spear-phishing attack to compose a message that appears to be from a trusted colleague. This will likely be the CEO or individual of similar reputation within the organization, but they could also pretend to be a potential supplier. The attacker then sends a message that coerces the victim into sharing financial information or even making payments.
Cyber criminals are willing to put in this time and research as the high-level executives they target are more likely to fall victim to these types of attacks than other employees. This is because executives such as CEOs are often under more pressure, face more time-critical tasks than other employees, and are more likely to underestimate the security risk.
Whaling attacks have also been used to target high-profile individuals, such as politicians and celebrities, which make them vastly lucrative to attackers.
Real-world Examples of Spear Phishing
Although there have been countless spear phishing attacks over the years, here are some of the most notorious:
- The Los Angeles Superior Court (LASC) hack: A man from Texas used a fake Dropbox email to steal account credentials for the LA Superior Court System. The hacker was able to access LASC servers and then send many more phishing emails using the accounts he had hacked.
- The Omaha commodities theft: An executive of a commodities trader in Omaha, Nebraska, ended up transferring $17.2 million to a phisher, thinking he was sending it to a Chinese bank. The attacker researched the company’s situation at that time and used that info to make the attack more believable.
- The Ubiquiti Networks attack: Attackers pretended to be an employee of the tech company Ubiquiti Networks and then convinced Ubiquiti to wire $46.7 million overseas.
Spear Phishing Prevention Best Practices
While spear phishing is a highly effective method for cyber criminals to maliciously obtain personal information, steal money, and hack organizations, there are ways for businesses and people alike to defend themselves from these attacks.
For example, tools like antivirus software, malware detection, and spam filters enable businesses to mitigate the threat of spear phishing. Businesses should educate employees and run spear-phishing simulations to help users become more aware of the risks and telltale signs of malicious attacks. They should also have an established process in place for employees to report suspicious emails to their IT and security teams.
Five Tips to Avoid a Spear Phishing Attack
- Keep software updated: Wherever possible, it is vital for organizations to ensure they enable automatic updates on software. Doing so protects them from the latest security attacks. It also ensures email clients, security tools, and web browsers have the best possible chance of identifying spear-phishing attacks and minimizing the potential damages. Also, ensure that a data protection program and data loss prevention technology are in place at the organization to protect data theft and unauthorized access.
- Minimize password usage: Passwords are a common target of spear-phishing attacks, and it can be devastating if they get into the wrong hands. No password, or iteration of a similar password, should ever be reused on another account. If an attacker gains access to one, then they gain access to all. Password manager tools can be useful for keeping track of various credentials and making codes as strong and complex as possible. But strengthening security to prevent spear-phishing attempts is reliant on removing password usage wherever possible.
- Deploy multi-factor authentication: Given the risk of relying on passwords, two-factor or even multi-factor authentication is now crucial for all organizations and online services. This adds an extra layer of security on top of simply logging in to a service with a username and a password. It can include information that a person knows, such as their first school or mother’s maiden name, something they have, such as a unique code sent to an authentication app, or something they are, like their fingerprint.
- Educate your employees: An educated, security-conscious workforce is one of the best ways to prevent spear-phishing attacks. It is important that every employee in an organization knows how to spot sophisticated phishing emails, recognizes unusual hyperlinks and email domains, and will not be fooled by unusual requests to share information. A trusty way of avoiding malicious links being clicked is to advise employees to go directly to websites rather than following any links from any email message. This advice should be practiced on people's personal email links and social media accounts, not just in the work environment.
- Use common sense: A big part of spear-phishing avoidance boils down to people using common sense. For example, real businesses never send emails asking people for their usernames and passwords or access codes. People need to question the validity of any email that asks them to share personal information. They should never share financial or payroll information over email or online without speaking to their trusted contact first. They should also be careful about clicking attachments or links in emails. It is likewise important not to make personal information available online and ensure there are privacy settings limiting what people can see.
How Fortinet Can Help
Fortinet provides industry-leading solutions that protect organizations from the highly targeted, meticulously researched, and sophisticated nature of spear-phishing attacks. Fortinet FortiSandbox confines suspicious files or documents to an isolated environment, away from devices, networks, and users. In this environment, the sandbox analyzes behavior for malicious intent then issues an alert and threat intelligence information to prevent an attack.
Fortinet also protects against spear phishing through its Secure Web Gateway (SWG). Fortinet SWG safeguards businesses from internet-based threats without affecting end-user experiences. FortiMail, a comprehensive, top-rated email security solution, prevents phished messages from reaching employees' inboxes.
Aside from the above security tools, training employees on how to recognize and report suspicious emails is necessary to prevent spear-phishing attacks. Organizations must ensure they practice cybersecurity hygiene to stop attackers from infecting machines and gaining access to their networks.
What is Spear Phishing vs. Phishing?
Spear phishing and phishing are two distinct cyberattack methods. Spear phishing is a targeted technique that aims to steal information or place malware on the victim's device, whereas phishing is a broader attack method targeting multiple people. Both techniques involve emails that purport to be from a trusted source to fool recipients into handing over sensitive information or download malware.
What are the Characteristics of Spear Phishing?
Spear phishing is a highly targeted cyberattack method that is highly effective and difficult for businesses to prevent. The method requires significant research on the part of hackers, who need to acquire personal information about their victims. They then use information like their name, email address, friends, hometown, place of work, and geolocation to disguise as a person the victim trusts.
What Protects Users from Spear Phishing?
Traditional security solutions arm businesses with protection against spear phishing, but attacks are increasingly becoming difficult to detect. User education is crucial to increasing awareness of sophisticated phishing emails and recognizing unusual hyperlinks, email domains, and unusual requests for information-sharing. Businesses must also implement processes that limit access to sensitive information and cause critical damage.
What is Clone Phishing?
Clone phishing is a form of spear-phishing attack. Hackers mimic a genuine email message using an email address that looks valid but contains a malicious attachment or hyperlink that leads to a cloned website with a spoofed domain. The attackers’ goal is for the victim to enter sensitive information on the fake website.
Discover more information about spear phishing and how Fortinet can help your business recognize and prevent modern cyber scams.