Cybercriminals sometimes employ sophisticated strategies in their attempts to steal your money and information. One of these strategies in spear phishing. To mitigate this growing cyber threat, businesses need to know the definition of spear phishing and how to defend against it.
What Are Spear Phishing Attacks?
Spear phishing is a variation of phishing, so it makes sense to start with that term.
Phishing is a technique that hackers use to try to trick individuals into clicking a link or revealing sensitive information by creating fraudulent emails, text messages or websites that often appear to be from legitimate sources. In a fishing analogy, the email or other message is the bait, you are the fish, and the hacker is trying to reel you in.
For example, let’s say you get a security alert informing you that there’s been suspicious activity on your Wells Fargo account, and you need to verify your information immediately – but you don’t even have a Wells Fargo account. This is a phishing attempt. The message is sent out to lots of people, and some of them will probably have Wells Fargo accounts, so they might be more easily tricked. Other phishing attacks might involve fake login webpages or offers of free gifts.
Spear phishing is similar, but it’s more targeted. While a phishing campaign might involve thousands of messages sent out randomly, spear phishing attacks are designed with the individual recipients in mind. This can make these spear phishing messages much more convincing.
A Typical Spear Phishing Attempt
Spear phishing attacks are more personalized than regular phishing attacks. They may include your name. They may also include information that is relevant to you or your business, such as the organizations you do business with or the types of transactions that you would be involved in. They may appear to come from people you know, such as friends or colleagues.
Hackers may have uncovered information about you by hacking into your email or by hacking into the email of someone you know or a company you do business with. They may also get the details they need to launch a convincing spear phishing attack by searching the internet for publicly available information.
The DHS provides several spear phishing email examples. In one, an email that appears to be from the BBB addresses the recipient by name and says there has been a complaint that the company is violating the Fair Labor Standards Act. The recipient is encouraged to click a link to download a file with an explanation. In another, an email appears to be from DocuSign and says that a specific person has shared a file with them, which can be accessed by clicking a link.
There are other spear phishing examples, and spear phishing attackers may use many other spear phishing techniques. As word spreads about one scheme, spear phishers may move on to the next one.
The Aftermath of a Successful Phishing Attack
In 2021, the FBI’s Internet Crime Complaint Center (IC3) received 323,972 complaints of various types of phishing schemes.
If a phishing attempt is successful, the hackers can use the information or access that they’ve gained in additional schemes. For example, they might use your login information to take over your accounts and steal sensitive information, or they might use your banking information to drain your accounts.
Phishing can also be used to launch ransomware attacks. The IC3 lists phishing as one of the top three techniques that cyber criminals use to infect victims with ransomware, along with Remote Desktop Protocol (RDP) exploitation and exploitation of software vulnerabilities.
Spear Phishing Protection
Spear phishing is a serious threat, so businesses and individuals need to take steps to prevent spear phishing attacks.
- Install updates and security patches as soon as they become available. These patches may fix vulnerabilities that could give hackers access.
- Flag external emails. Hackers may pose as people inside your company and use email addresses that are similar to the ones used in your business. Flagging external emails can give your employees a heads-up that something may not be right.
- Use a spam filter along with security software. These programs can flag suspected spam and phishing emails and send them to a special folder.
Spear Phishing Training: Red Flags to Watch For
Although anti-spam programs may help, some phishing messages may get through. It’s important to know how to spot red flags that could indicate a phishing attempt. Individuals should know these red flags so they can protect their own accounts, and businesses should make sure that all workers are trained on how to avoid spear phishing.
These pointers can help people avoid falling victim to phishing scams:
- Think twice before clicking a link or providing sensitive data. The sender may be posing as a person you know or a company you do business with. The sender may know your name or other details about you. Don’t be fooled by these common tricks.
- Check the email address or URL. If it doesn’t match the official email address or URL associated with the sender – even if it’s just off by one letter – it’s probably a phishing attempt. Note that the text displayed may not match the URL you’re actually being directed to.
- Look for spelling and grammar mistakes in the email. If an official email from a company is littered with errors, it may be a phishing attempt.
- Don’t let yourself be rushed into mistakes. Hackers often try to make their requests as urgent as possible to trick recipients into acting without thinking. Slow down and think.
- Question requests for information. Your bank shouldn’t contact you asking for your bank account information. The IRS shouldn’t contact you asking for your Social Security Number. If someone contacts you and asks you to provide sensitive information – often under the pretense of verifying your identity – it’s probably a phishing attempt.
- When in doubt, don’t click or respond. Instead, verify whether the message is legit using other means. For example, let’s say you get a weird email with a link from a coworker. You trust the coworker, but this doesn’t mean the email is legit. It’s possible your coworker’s account has been hacked. Instead of clicking, call or walk over to your coworker to ask about the email. Likewise, if you get a worrisome email about a problem with your bank account, don’t click the link or call the number provided. Instead, look up the bank’s phone number and call to see if there really is a problem.
What to Do If You Receive a Spear Phishing Attempt
If you receive a spear phishing message, don’t respond to it or click on any links.
- Depending on your email or text provider, you may be able to flag the message as spam.
- You can forward phishing emails to the FTC at [email protected].
What to Do If You Fall for a Spear Phishing Scam
If someone in your company clicks on a malicious link or provides sensitive data, you need to take quick action to limit the damage.
- Create a company policy detailing how to respond to spear phishing attacks. Workers should notify their company immediately, and procedures should be in place to protect accounts and notify customer or vendors that may be impacted.
- Change any compromised passwords and contact any people or organizations involved. For example, if you provided your bank account information to a hacker, notify your bank immediately.
- If you have been the victim of a spear phishing scam or other cybercrime, you can report it to the IC3.
Are you worried about spear phishing and other risks to your business? Higginbotham can help. Learn more.
