Everyone will at some point see a standard phishing email. Be it the 409 Scam (Nigerian Prince) or even a fake password reset, these are pretty easy to spot, and most people delete it without flinching. However, for the select few who have been on the receiving end of a spear phish, it's often a more memorable experience.
A spear phish or spearphishing attack is an advanced form of phishing that targets a specific person or group within an organization. It typically involves email spoofing to appear as if the email was sent from a trusted sender, and then encourages the victim(s) to click a link or respond to an email that contains no link. Occasionally this may also include a malicious attachment, but the former is more common. However, the reason that spear phishing is so effective is because of the social engineering involved.
Phishing is social engineering using digital methods for malicious purposes. And spear phishing is just that much more effective because it involves a great deal of research on the intended target, and then uses that information to breach a network or for financial gain. It's often the number one weapon of choice by threat actors that lead to a successful Business Email Compromise (BEC) attack.
Let's take a look at a recent spear phishing campaign we conducted for a client to test their security vigilance. The victim is an executive at a global retail organization. Our threat actor, a member of our security awareness training team, Sam, compiled a great deal of research on the target and started out simple. Posing as the victim's superior, and visibly spoofing his name and email address, he pushed out an email that contained a link to a simulated phishing threat.
There are two red flags that should have resulted in pause: Sam's name is clearly at the top, which looking at the header of the email and expanded details would show something was fishy and the second is the external tag.
The result? The victim clicked on the link and forwarded it to other executives, further propagating the attack. It's not a surprising result, especially because our training team are some of the most devious fake threat actors in the business, but if it were a real attack, that global retailer would be in some big trouble. By developing a culture of security vigilance, organizations can reduce the risk of spearphishing attacks resulting in successful breaches or financial wire transfers.
The Basic Spear Phish
The following are some of the common approaches that a threat actor will employ a spearphishing campaign.
- Choose a target and research them
- Spoof email to appear as superior or colleague of victim
- Craft brief, but specific message that is likely to be a normal request
- Ensure the message has a sense of urgency that prevents confirming details
- Victim complies with request
- Threat actor breaches network or receives financial wire
For financial scams, typically a threat actor will target a comptroller, accountant, or someone with known access to paying vendors. The threat actor can do anything from sending a fake invoice to the more fishy request for gift cards.
Threat actors that want to breach a network will often include a link to a document or other gated piece of information. That link will go to a phishing site designed to mirror that of something the victim uses regularly or looks trustworthy, where they will then unknowingly hand-deliver their credentials to the threat actor.
How to Handle Spear Phishing Attacks
If you spot something fishy (phishy) in your inbox, all you need to do is PAUSE.
PAUSE stands for:
Plausibility: Does the request make sense? Is there an unnecessary level of urgency in the request? If something is off, report it.
Attachments: Were you expecting an attachment? If not, report it and confirm with the sender.
URLs: Hover over a URL before you click on it. If it's a document or to a financial site, be sure it's an official website. Just because it uses HTTPS does not make it secure.
Sender's address: Does the email address appear totally legit? If not, it's a phish.
Ensure: When in doubt, do not reply to the email in question, use out of band communication to confirm the suspicious request. This can be face to face, your internal messaging platform, or starting a new email thread.
At PhishLabs, we also offer SOAR, a capability under Email Incident Response, that can also proactively remove future threats and existing threats from user inboxes after the threat has been confirmed. Confirmed indicators can even come from other organizations that have reported it, which on occasion happens when threat actors use similar tactics in an attempt to get iTunes gift cards. For some time there was a CEO scam going around that targeted numerous companies in the U.S., primarily with the same initial messaging, all in an effort to get some gift cards.
Stay tuned as we dig further into BEC attack and our forthcoming webinar focused on the topic.