According to Verizon’s 2022 Data Breach Investigations Report, 82% of security breaches last year involved a human element such as stolen credentials, misuse, simple user errors, and social engineering. Social engineering attacks such as phishing that exploit human behavior are increasingly successful and becoming more sophisticated.
In some cases, threat actors thoroughly research and design phishing attacks with specific targets in mind. These are spear phishing attacks, and they have serious consequences for organizations on the receiving end.
This article looks closely at spear phishing: how these attacks typically work, how to identify them, the differences between spear phishing and other phishing attacks, and how organizations can defend themselves against them.
What Is Spear Phishing?
Spear phishing is a social engineering attack targeting specific individuals or organizations typically via malicious emails. The threat actor carefully researches the target so that the email appears from a trusted sender.
Spear phishing emails typically use various social engineering techniques that convince the recipient to open a malicious link or attachment. Once the target complies, the attacker can achieve their initial goal.
Like phishing attacks, spear phishing attacks typically aim to:
- Extract personal information: Some spear phishing emails seek personal information from recipients, such as login credentials, banking information, or credit card numbers.
- Install malware: Other spear phishing emails deliver malware to recipients hoping they will download it onto their devices.
Unlike phishing scams, which cast a wide net, spear phishing is more sophisticated and coordinated. These attacks often rely on using familiar, personalized information to infiltrate organizations with customized traps.
Spear Phishing Attack Examples
Spear phishing is a particularly effective type of cyberattack because it relies on social engineering techniques to trick victims into revealing sensitive information or taking actions that allow hackers to gain access to their systems.
One example of a spear phishing attack is the 2021 attack targeting Ukrainian government agencies and NGOs. A Russian government-linked cyberespionage group known as Gamaredon posed as trusted contacts and used spear phishing emails that contained malware-laced macro attachments. The emails also included a tracking “web bug” to monitor whether messages were opened. Although the ultimate objective of this spear phishing attack is still unknown, the malware family used is often attributed to data exfiltration from compromised hosts.
Another example of a spear phishing attack is the one that targeted Puerto Rican government agencies in 2020. A threat actor hacked into the computer of an employee at the Employee Retirement System and sent emails to various government agencies alleging a change in bank accounts. An employee from the Puerto Rico Industrial Development Company sent $2.6 million to a foreign account believing it was a legitimate bank account.
How Does Spear Phishing Work?
Threat actors rely on reconnaissance techniques in their research to increase the likelihood of a successful attack. As a result, spear phishing emails are often challenging to spot.
Spear phishers may frequent social media sites such as Facebook or LinkedIn to gather personal information about their target. Some threat actors even map out their target’s network of personal and professional contacts for additional context when crafting a “trustworthy” message. Sophisticated attackers even use machine learning (ML) algorithms to scan massive amounts of data and identify potentially lucrative targets.
Once equipped with enough personal information about their target, spear phishers can create a seemingly legitimate email that grabs the target’s attention. In addition to being personalized, spear phishing emails often employ an urgent tone of voice. This dangerous combination can cause recipients to let down their guard.
Here are the typical steps often involved in spear phishing attacks:
1. Information Gathering (Bait)
Finding personal information online can require very little effort. In many ways, social media’s popularity has contributed to the success of spear phishing attacks over recent years.
For example, LinkedIn profiles can contain places of employment and lists of coworkers. Even if a LinkedIn profile doesn’t publicly display an email address, it can make it easier for threat actors to find that information.
Other threat actors may use scripts to harvest email addresses from prominent search engines or lead-generation platforms to find the email addresses employees use for work. In some cases, threat actors may simply attempt to guess email addresses using standard work email conventions, such as [email protected]eofwork.com.
In addition to the target’s email address, threat actors will also research the target’s organization and attempt to find out what software they may use.
2. The Request (Hook)
Once an attacker acquires the necessary information on their target, they can use it as bait to perform the desired action (e.g., clicking a malicious link or downloading a malicious file).
For a spear phishing email to arrive in the target’s inbox, the email must first get past any antivirus software. A quick search of the target’s organization can provide enough information about what antivirus and which version of it the employer uses. With this information in hand, threat actors can bypass cybersecurity defenses.
One common request tactic involves using fake invoices. In this scenario, a threat actor may send an email from a “trusted” source that says there’s a problem with an invoice. They may provide a link to a digital form and ask the target to add the correct information.
Although the digital invoice isn’t legitimate, it may look identical to the one the target typically uses to input financial information. Once the threat actor has the invoice payment information, they may use it to steal funds or sell that information on the dark web.
3. The Attack (Catch)
Threat actors are poised to attack once their bait and hook are both successful. Suppose the recipient provides confidential information (e.g., login credentials or payment information). In this case, attackers may use it to access networks and systems, elevate privileges, steal or compromise additional data, or even sell sensitive information on the dark web.
If the recipient installs malware, attackers may use it to capture keystrokes, block access to files, or exfiltrate data and hold it for ransom.
Spear Phishing vs. Phishing vs. Whaling
Although spear phishing, phishing, and whaling rely on similar social engineering techniques for success, there are some essential distinctions between each type of attack.
Like spear phishing, phishing attacks aim to trick targets into divulging sensitive information, such as usernames and passwords, bank account information, credit card numbers, or Social Security numbers. These attacks often prioritize quantity over quality and usually have a lower barrier to entry than other types of social engineering attacks.
However, the messaging in phishing emails is often quite generic. Threat actors often send phishing emails to a large group of random individuals or organizations to increase the chances that even a single recipient will fall victim to the scam.
Although potentially less lucrative than spear phishing, all types of phishing attacks can be exceedingly costly for the victims. Other types of phishing can include smishing, vishing, clone phishing, domain spoofing, URL phishing, watering hole phishing, and evil twin phishing.
Whaling attacks are even more specific than spear phishing attacks. These attacks target high-profile individuals – aka a company’s “big fish.” Whaling attacks target individuals with access to more sensitive data such as C-suite executives, board members, or even celebrities.
Since whaling attacks target high-value victims, they often yield high-value results. This type of attack effectively cuts out the middle-man, since the targets of whaling attacks often have the ability to make direct wire transfers. This can eliminate any extra steps an attacker might take to reach their objective, which reduces their chances of detection.
Whaling attacks can also have more significant consequences for individual targets. In many cases, the “whales” successfully harpooned by an attacker may be fired or forced to resign due to carelessness.
Spear Phishing Types & Examples
A closer look at spear phishing examples may help illustrate how threat actors typically implement the above steps.
Threat actors may send emails containing a direct request for information or funds. These requests can also include links or attachments but the goal of these emails is to glean sensitive information directly from the recipient.
For example, the town of Franklin, Massachusetts, accidentally misdirected a payment of US$522,000 in 2020 after threat actors persuaded an employee to provide secure login information.
Threat actors may also send emails containing links to spoofed websites. The spoofed website might imitate the layout of a reputable site to trick the target into divulging confidential information such as account credentials or financial information. The threat actor can then use that information to steal directly from the target, use the target’s credentials to access enterprise networks or systems, or sell that information on the dark web.
For example, since the introduction of PayPal, there’s been a sharp increase in fraudulent email messages alerting users that someone has purchased something with their PayPal account. Clicking the link to these emails often takes the recipient to a spoofed PayPal website where threat actors can steal any login information entered.
Malware attachments often come in the form of a fake invoice or delivery notification. The attacker may urge the recipient to open it as quickly as possible to avoid negative consequences. Once the recipient opens the attachment, it can deliver malware to the target’s device which can then spread to the network and other devices.
For example, North Korea’s Lazarus Group has an ongoing campaign using lures for open positions at Crypto.com to distribute macOS malware.
How to Identify a Spear Phishing Attack
The best way to prevent a spear phishing attack is to identify a spear phishing email before clicking any links or opening any attachments. Becoming familiar with the indicators of a spear phishing attempt can help organizations and their employees avoid the consequences of a successful attack.
Here are some common red flags that may indicate a spear phishing attack:
Examine incoming emails to determine if they come from legitimate senders. Common signs the sender may be performing a spear phishing attack include:
- An unrecognized email address or sender.
- An email address outside the recipient’s organization.
- An email address from a sender inside the organization with which the recipient doesn’t typically communicate.
- An email address from a suspicious domain.
Next, look to see who else is on the recipient list. Indicators of a spear phishing email may include:
- A recipient list containing other unrecognized email addresses.
- A recipient list with an unusual mix of people (e.g., a random group of recipients or a group of recipients whose last names all start with the same letter).
Date & Time
Check to see when the sender sent the email. Signs of a spear phishing email could include:
- An email is sent on an unusual date (e.g., a weekend or a holiday).
- An email is sent at an unusual time (i.e., not during usual business hours).
The subject line of an email can tell a recipient a lot about whether or not the email is fake. Spear phishing emails may contain the following:
- An unusually urgent subject line.
- A subject line that is irrelevant or does not match the rest of the email.
- A reply to something never sent or requested.
Hyperlinks & Attachments
Before clicking links or downloading attachments in emails, look for common signs of spear phishing, including:
- A hyperlink that shows a link-to address for a different website when a mouse hovers over it.
- A long hyperlink with no further instructions.
- A hyperlink with typos that are not obvious at first glance.
- An email attachment that is unexpected or doesn’t make sense in the context of the email’s content.
- An attachment with a possibly dangerous file type.
- An attachment with no further instructions.
If everything else checks out, look closely at the email’s content. Spear phishing emails are often well-crafted, and since they are also personalized, it can be challenging to identify them based on content alone.
However, keep in mind the following indicators of a spear phishing email when reading the message’s body:
- The email has an unusual sense of urgency.
- The email requests sensitive information.
- The email asks the recipient to click a link or open an attachment to gain something valuable or to avoid a negative consequence.
- The email contains spelling or grammar mistakes.
- The email contains unsolicited links or attachments.
- The email attempts to panic the recipient.
How to Defend Against Spear Phishing Attacks
Here are some spear phishing tips organizations can use to strengthen their cybersecurity defenses.
Recognize the Signs of Spear Phishing
The best way to prevent any phishing attack is to identify a phishing email before anyone clicks a link, downloads an attachment, or any other requested action.
If a target’s first instinct is that an email is fake or attempting a scam, they’re probably right. Start by checking the legitimacy of the sender. Then, attempt to verify the claims within the email directly with the source. Next, examine the email’s content and look for the signs of spear phishing (listed in the above section). If the email appears phony upon further inspection, report it to appropriate team members.
Provide Security Awareness Training
Remembering to closely examine every email to recognize the signs of spear phishing can take time and effort. Providing security awareness training for employees can help them develop the skills necessary to spot, avoid, and report phishing emails regularly.
These programs are vital as an increasing number of employees work from home. However, even the best-trained and most security-aware employees may fall for phishing emails in a hurry or if the email is persuasive. Phishing simulations can help employees practice what they learned during security awareness training. This exercise will also help organizations measure how well their employees understand phishing attacks to improve their training courses.
Conduct Regular Research
Proactive investigations may help organizations identify suspicious emails with content commonly used by attackers (e.g., subject lines referring to password changes). Companies can regularly patch, properly configure, and integrate remote services, VPNs, and multi-factor authentication solutions.
Organizations can also scan properties of received email messages (including the Attachment Detail property) for malware-related attachment types and automatically send them to be analyzed for additional malware indicators.
Implement Security Tools to Help
Fortunately, there are tools available to help prevent spear phishing emails from ever reaching a target’s inbox. While email providers may build some of these tools into their platform, it’s still likely some phishing emails will get through to employees without additional security to eliminate security gaps.
An extended detection and response (XDR) platform, for example, can actively monitor every layer of a network to catch malware before it does any damage.
Prevent Spear Phishing Attacks with SentinelOne
SentinelOne’s Singularity XDR platform helps organizations see, protect, and resolve security incidents, including spear phishing attacks before they unfold.
With Singularity XDR, organizations can eliminate blindspots so security teams can see data collected by disparate security solutions from all platforms in a single dashboard.
SentinelOne’s behavioral engine tracks all system activities across environments, detecting techniques and tactics that indicate malicious behavior and automatically correlates related activity into unified alerts.
A single, unified platform for extended threat detection, investigation, response, and hunting, Singularity XDR provides:
- A single source of prioritized alerts that ingests and standardizes data across multiple sources
- A single consolidated view to quickly understand the progression of attacks across security layers.
- A single platform to rapidly respond and proactively hunt for threats.
Discover how SentinelOne protects some of the world’s industry-leading organizations from spear phishing attacks, and sign up for a demo today.