By definition, spear phishing is a highly-targeted phishing attack. Like any phishing attack, it can be performed over a variety of different media – email, SMS, social media, etc. – but spear phishing emails are the most common.
As a type of phishing, spear phishing operates very similarly to other phishing attacks, but the process of crafting the phishing message is a bit different. Also, the design of these attacks means that methods for blocking phishing emails may not be effective, requiring targeted spear phishing defenses.
The main difference between traditional phishing and spear phishing is how targeted the attack is.
Many phishing attacks take a “quantity over quality” approach – phishing emails are sent out to as many potential targets as possible. While they have a relatively low chance of success, the sheer volume of phishing messages means that even a low success rate can still result in a number of successful attacks. The main advantage of this approach to spear phishing is that it is relatively easy to develop a phishing email with wide applicability by impersonating a well-known brand (Amazon, Netflix, banks, etc.) or taking advantage of current events (Olympics, COVID-19, elections, etc.).
Spear phishing takes a much more targeted approach to selecting and attacking a victim. Instead of casting a very wide net, spear phishing uses a pretext that is specifically targeted at a particular individual or small group. This type of attack requires much more work to build a personalized pretext, but the probability of success is much higher.
An effective spear phishing attack requires a great deal of information about the intended target of the attack. At a minimum, the attacker likely needs to know the target’s name, as well as their place of employment, role within an organization and email address.
While this provides basic targeting information, the attacker also needs data specific to the pretext used by the attack. For example, if the attacker wants to pose as a team member discussing a particular project, they require high-level information about the project, names of colleagues, and ideally a copy of the colleague’s writing style. If posing as a vendor with an unpaid invoice, the attacker needs to have the information required to build a convincing invoice for a plausible supplier.
Collecting this information requires the attacker to perform reconnaissance regarding the intended target. Many of the pieces of information required are likely to be available online. For example, a profile page on LinkedIn or a similar site likely contains job role and contact information for a particular target.
Additional information may be gleaned by inspecting the organization’s website, checking for patents involving the employee, and looking for blog articles that they’ve authored or postings on online forums.
After collecting this information, the attacker can achieve a solid understanding of the target. This understanding can then be used to develop a personalized pretext designed to maximize the attack’s probability of success.
Spear phishing attacks can be highly sophisticated. Since many of them are designed to trick a target into taking a particular action, they don’t require malicious links or attachments to achieve their objective. The only difference between a legitimate payment request from a supplier and a fake one from an attacker may be whether or not the organization actually uses the alleged vendor’s services.
Protecting against phishing emails requires multiple lines of defense. Some best practices to minimize the risks associated with spear phishing include:
Spear phishing prevention is a key component of email security. To see how Check Point’s Harmony Email & Office provides targeted protection against spear phishing attacks, you’re welcome to request a demo.