Phishing and spear phishing are both common forms of email attacks. Just like fishing, the attacker uses emails to lure a victim into clicking on a malicious link or attachment. The difference between the two is in how a victim is targeted. Phishing is a non-specific attack, while spear phishing is a type of phishing attack targeted at one specific individual.
Different Types of Lures
Phishing emails are sent to a large number of recipients at random, with the expectation that a few people will respond. Think of this like trawling - a fisherman casts a wide net into the ocean with the intent on catching many fish, not one specific fish. Some fish might avoid the net, and others won’t, but either way, something is likely to be caught.
Spear phishing is targeted at a single person, using information gathered from social media or other public information. Personalized bait is used to catch a specific fish. Remember the scene in Ocean’s 8 where access to security cameras was needed to pull off the heist? They targeted one specific person in the organization who had the right credentials and used information gained from him. He was obsessed with Wheaten Terriers and took his own dog to competitions. All they needed was to create an invitation to a show containing a malicious link to gain access to his camera. The invitation was a very personalized lure, based on things he had an interest in, he didn’t question the invite at all, he just clicked on the link, thus allowing them access to his computer.
Gone Phishin’ – How Does It Work?
Mass phishing involves using automated off-the-shelf kits to gather credentials using fake login pages for banking or email services. These can be used to spread malware or crypto mining software.
Standard phishing is much more common and much less effort than spear phishing.
Spear phishing campaigns used to contain the malicious documents attached to the email, but attackers have had to adapt to changing awareness around their methods. Malicious documents are now placed on legitimate sites like Dropbox, Google Drive or OneDrive. These sites are less likely to be blocked by the IT department.
Social media like LinkedIn and Twitter can tell an attacker a lot about the hierarchy and job descriptions of people in an organization, while Facebook and Instagram can provide personalized insight into a target’s life. The combination of this personal and professional information gives the attacker a detailed picture of how best to form a credible attack.
Spear phishing attempts use a mix of the psychology of trust and a sense of urgency to bait victims.
Both of these attacks can also be done using texting or voice calls. These are known as smishing and vishing and follow similar patterns to email-based attacks.
Who Is At Risk?
CEOs are at risk of being impersonated, as the authority of their job usually coerces the victim into following instructions without thinking.
Likewise, executives are more at risk because the busy, demanding nature of their jobs, and the pressure that comes with it might make them pay less attention to what could be a phishing attack.
Human Resource departments can be targeted to convince them to change payroll banking details from an employee’s details to the attacker’s details.
Attackers can pretend to be suppliers and request a change in invoicing details.
How to Prevent Getting Hooked
Train your users to spot potential spear phishing emails and delete them. When in doubt, contact the apparent sender directly, and be wary of attachments you haven’t requested.
Check the spelling of the ‘from’ part of the email, as it is often spoofed to look like a trusted domain.
Look closely at the wording and terminology of the email. If it isn’t written like the sender would normally write it, consider that a red flag.
Use spam filters, malware detection, and antivirus on all devices.
Have a system in place for all potential phishing attacks to be reported so others in the organization can be warned.
Phishing attacks are difficult to stop as even a well-trained, aware user will have moments of distraction. Technical solutions and user training go hand-in-hand to render an attack dead in the water.