Spear-phishing is among the most popular cyber-attacks used by criminals today. Find out more about this social engineering attack and how to defend against it

Spear-phishing is a phishing attack that is targeted against an individual

What is spear-phishing?

Spear-phishing is a phishing attack that is targeted against an individual. Spear-phishing emails are designed so that victims trust the message enough to open it and act on it – or to download any malicious attachments.

The UK’s National Cyber Security Centre (NCSC) defines spear-phishing as “where the phisher is deliberately attacking a specific person and has crafted an email containing personal information to make them click”.

Spear-phishing can be broken down further, to include:

  • brand impersonation attacks
  • business email compromise (BEC)
  • blackmail

According to a report (PDF) from security company Barracuda, 83% of spear-phishing attacks rely on brand impersonation, where the attacker’s email seems to come from a well-known organization or from a business application.

BEC involves criminals using stolen or forged email addresses to create the appearance of a legitimate message from a supplier, trusted business partner, customer, or even regulator or law enforcement body.

Blackmail often uses accusations of downloading sexual or compromising material to convince victims to pay money to the attacker.

How does spear-phishing work?

Spear-phishing works by targeting a specific individual or organization.

Conventionally, spear-phishing targets the victim using email, although variations, such as phishing messages over services such as SMS or Skype, and voice phishing (“vishing”) are also a threat.

Spear-phishing attackers are sophisticated. They craft their emails carefully, to maximize the chance of the victim opening the message and trusting its contents.

Attackers will even vary the time of day they send messages, to maximize the chance of the victim opening it. One in five spear-phishing emails are sent on a Tuesday.

In brand impersonation attacks, these often appear to come from a well-known tech company. Google and PayPal are favorite vehicles for hackers. But they can also come from banks, airlines, and other household brands.

Attacks against organizations might claim to be from a trusted contact, such as a manager, customer, the accounts department, or frequently, IT support.

In all cases, the hacker will research the victim, find their contact details, and write an email that appears plausible. They will use social media and other open source intelligence (OSINT) techniques to find out more about the victim – including where they work, who they work with, and their out of work interests.

The payload of a spear-phishing attack can be conventional malware, spyware, or ransomware. But hackers also use the technique to extract confidential and commercially sensitive information, such as personnel records, intellectual property or financial information.

A further driver for attacks is to gain access to IT systems and privilege escalation.

Attackers frequently target systems administrators and other professionals in order to gain the passwords and credentials to break into other systems.

Hackers might use something as simple as a spoof website to harvest victims’ user names and passwords.

How a spear-phishing attack works

  1. Identify email addresses
    Decide who to target and find their email address

  2. Technical evasion
    Research the target company and its defenses. This step may also include researching how to extract information from the company if that is the goal.

  3. Sending the emails
    Register a clean domain name and change Whois info to match target domains

  4. Reap the rewards
    Wait for the target to respond

Source: KnowBe4

How much of a threat does spear-phishing pose?

Spear-phishing is now the most popular cyber-attack used by criminals – as well as one of the most successful.

A recent survey of 100 threat reports (PDF) found that 45 out of 100 attacks started as a spear-phish.

Security vendor Symantec also claims that 71% of threat groups use spear-phishing. The FBI estimates that businesses lost $26 billion in the last three years to just one type of spear-phishing.

Spear-phishing vs. phishing

The difference between spear-phishing and phishing attacks is that traditional phishing attacks use a ‘scattergun’ approach to find their victims, whereas spear-phishing attacks are targeted.

With phishing, attackers can pump out messages in the knowledge (or at least hope) that someone, somewhere will open the email and click on a link, or download an attachment. It is a numbers game.

On the other hand, spear-phishing is laser focused. Criminal groups use research and intelligence gathering techniques to identify their targets. They tailor their messages to maximize the chances of a victim opening the message, and acting on it. This makes it all the more dangerous.

“The main difference between phishing and spear-phishing is that spear-phishing is where the emails are sent to specific selected targets,” explains Javvad Malik, at security awareness company KnowBe4.

“Phishing on the other hand is a generic email sent to a wide range of recipients without any qualification in a scattergun approach.”

Phishing attacks rely on sheer numbers to obtain results. Attackers are not usually concerned about who responds, as long as they hand over information: online account passwords, social security numbers, or banking credentials. These are used for further attacks, or sold on, on the dark web.

Spear-phishing aims instead to steal information from a smaller group of people, maybe in a company, or users of a specific software application. It will attack specific, individual emails.

An attack might be just the start of a campaign: a hacker can use account details, obtained from customer service or IT, to then attack the accounts of senior staff and commit fraud or industrial espionage, or to attack the organization’s customers or suppliers.

Dangers of spear-phishing

The dangers posed by spear-phishing attacks are technical, financial, and personal. These include:

  • theft of personal data
  • theft of credentials for key systems
  • theft of intellectual property
  • obtaining information that is used for an attack on a higher level target

Spear-phishing attacks can also:

  • carry malware and spyware
  • deliver ransomware
  • contain poison links or links to sites that harvest credentials or personal data

And phishing attacks contain a financial risk, such as:

  • wire fraud
  • blackmail and sexploitation
  • theft of financial information and manipulation of stock prices

What is whaling?

Whaling is a variant of spear-phishing that targets key staff in an organization, such as board members, accountants, or senior IT administrators, as well as high net worth individuals and celebrities.

These attacks can be to steal information, for extortion, or even conventional fraud. In one case, the US technology company Ubiquiti Networks lost almost $50 million in an attack that combined spear-phishing and wire transfer fraud.

“Whaling targets are typically more involved in the business process,” says Emil Hozan, security analyst at WatchGuard Technologies. “They have access to more valuable information, such as trade secrets or are involved in financial matters.”

Examples of spear-phishing attacks

High-profile attacks involving spear-phishing include:

  • In November 2020, an investigation by investigative journalists and security researchers uncovered evidence that Vietnamese cyber-spies were targeting dissidents in Germany using spear phishing and other hacking techniques.
  • A new Russian-speaking ransomware gang surfaced in October 2020 with a series of campaigns featuring spear-phishing emails and directed against critical infrastructure and large corporate targets within Russia.
  • DeepSource, an India-based provider of automated code analysis services, was forced to reset developer accounts in July 2020 after an employee’s GitHub account was compromised by the Sawfish phishing campaign.
  • Switzerland’s Computer Emergency Response Team (GovCERT) warned webmasters and domain owners to be on the lookout for targeted phishing email in April 2020, shortly after three successful attacks against local hosting providers.
  • Fears emerged in January 2020 that the personally identifiable information of nearly 200,000 current and former patients of California healthcare network, PIH Health, may have been compromised following a phishing campaign that successfully targeted employee accounts.
  • Bellingcat, an investigative journalism website that specializes in the use of open-source intelligence (OSINT) techniques, said in July 2019 that its reporters had received phishing emails purporting to come from ProtonMail. No account was compromised via the spoofed emails through the attack, which relied on anonymously registered domains.
  • A Toyota subsidiary, Toyota Boshoku Corporation, which lost $37 million (PDF) due to a business email compromise scam in August 2019
  • North Korean attackers targeting US firms involved in nuclear defense, in a campaign called Autumn Aperture, using doctored original documents
  • Spear-phishing attacks against the US utility sector, using malware dubbed ‘LookBack

How to prevent spear-phishing

There is no one, single defense against spear-phishing.

Anti-spam techniques work against random phishing attacks, but spear-phishing and whaling are designed to break through these automated defenses.

Industry analysts Gartner recommend three steps to improve defenses against phishing:

  • Upgrade secure email gateways and controls
  • Build capabilities to detect and respond to suspected attacks
  • Develop standard operating procedures for dealing with sensitive data and financial information

Technical solutions, such as DMARC, to validate email authenticity, are also valuable. Gartner predicts these technologies will become more effective, as a result of machine learning.

Authorities in the UK claim that their Active Cyber Defence initiative has reduced attacks, including phishing.

But user education remains critical. This needs to be an ongoing process, not a one-off activity.

“An email that has insider information or other indicators of authenticity, such as references to a real person, company or brand may fool the average recipient – or even a more sophisticated user,” says Lee Kim, writing in InfoSecurity Professional (PDF), the journal of (ISC)2.

Kim, who is director of privacy and security at HIMSS, recommends that organizations monitor who clicks on phishing emails, so companies can target training and support.

Watchguard’s Hozan, agrees. “Simply put, the best way to stop or prevent spear phishing attacks is user training. Train users on how to identify spoofed emails and malicious domains,” he said.


YOU MIGHT ALSO LIKE Gone phishing: NCSC hails Active Cyber Defence success