Spear Phishing

We’re smarter than we used to be. Very few people in this modern age of widespread information are going to click a suspicious link in an email they weren’t expecting. General phishing attacks are much less successful than they used to be; the ‘spray and pray’ technique of sending as many emails as possible in the hopes that someone will fall for it are becoming far less useful. So, unfortunately, the bad guys are getting smarter too. That’s where spear phishing comes in.

What is it?

Spear phishing is a more sophisticated form of phishing. While it still relies on social engineering techniques to trick people into sharing private information or opening malware-infected files/websites, it is far subtler. While regular phishing involves generalized emails sent to as many people as possible, spear phishing targets specific people or organizations. A well-written email that appears to come from a legitimate source is then sent to the targets, asking for information or indicating a link that must be clicked. And because it is so well thought-out and thoroughly researched, victims are much more likely to fall for it.

Spear phishing can also apply to attacks via contact us forms or fake requests for quotes. Keep reading to find out how it works.

How does it work?

The trick is to find the information on your company that’s already out there, available for anyone to see. Maybe they got the CEO’s contact information from your company website. The HR rep had their email address publicly displayed on LinkedIn. They’ll have to establish an email address that looks real, but once they have the information, all that’s left is to research about your company a little bit to make the message seem as legit as possible, and then send it off with the infected link/attachment or ‘innocent’ request for information attached.

Some clever spear phishers have also begun to use company ‘contact us’ forms to launch their attacks. Fake requests for quotes or product inquires set through these forms are becoming more popular. Some even use contact information for innocent, unrelated businesses, so watch out! (See “How can we be prepared?” for tips on avoiding these scams.)

Why is it used?

While generic phishing techniques still work, they are becoming less effective as people become more informed about security risks and data privacy. With targeted spear phishing, hackers are much more likely to ‘catch’ the unsuspecting ‘fish’. Even if they only get the ‘smaller fish’, they can then use what information/access they have to work their way up. For example, if the hacker successfully tricks a receptionist into giving away their login information, they can then take over the receptionist’s email account and use it to send emails to company higher-ups. An email coming from someone within the company is more likely to be trusted.

Fake requests for quotes or shipping to fake addresses can dupe companies into sending products or performing services for the bad guys. The victim then ends up getting stuck with the bill when the requester suddenly disappears. Sending a quote can seem innocent enough, but they give attackers more information on your company and how it works and can lead to further attacks. These attacks can be quite nefarious!

How can we be prepared?

Because they are so carefully made, it can be much harder to spot spear phishing attempts. The best defense is employee education. Employees must be taught to be suspicious of anything asking them to click a link or asking for sensitive information. If you’re not expecting an email with this type of information/action request, always check with the supposed sender before you answer or do anything. Carefully check email domain names and keep an eye out for odd vocabulary/misspellings; these can be indicators of a fake email. Never blindly trust an email just because it ‘seems’ legit.

Also, keep a close eye on anything that comes through your ‘contact us’ forms. Requests that ask for financial information, or quotes for products to be shipped outside your country, or that ask for very expensive products in unusually large quantities are red flags. If you receive something like this, always double check before sending the quote or products. Google maps is your friend; a shipping address going someplace suspicious (I.e. a warehouse or residential area), is likely fake. If there’s no explicit contact information, it’s likely fake. When contact information comes from a normal entity but the request looks suspicious, or if you’ve never worked with that entity before, check with the sender to make sure the request is legitimate. If they don’t know anything about it, it’s FAKE!

The type of attacks from hackers are evolving, and to stay ahead of the bad guys, we must pay careful attention to everything we do and everything we receive.

Don’t get speared.