What is Spear-Phishing and What Can You do to Not Fall Victim to it?

Phishing is now a more commonly understood term in computing and the cyberspace. However, there are variants of phishing which are less well-known. Spear-phishing is a more targeted form of phishing that involves the singling out of a specific individual or organisation with the aim of gaining confidential information of particular value. 

Supposedly, 65 percent of cybercriminal groups utilise this method to source the compromising information they require from victims.  

What defines spear-phishing? 

Phishing is where an attacker sends a fraudulent message to a group of victims, typically via email, is often automated, and will tend to attempt to mask itself as coming from a trusted source, such as a large company. 

What differentiates standard phishing from spear-phishing is that the latter is directly targeted and tailored towards its victim. The attacker will do a significant amount of reconnaissance on their victim to make their spear-phishing attack appear as genuine as possible. 

The individual will be researched extensively online through channels available to the threat actors such as social media, company websites and even messages sent directly to the victim or their colleagues and family members. 

High-level executives or those working in financial departments are often the ones targeted in spear-phishing attacks as they are deemed to be high-value in having access to the data and information wanted. 

Through the reconnaissance undertaken, trustworthy individuals to the target are researched, such as their boss or a friend, whose identity can be spoofed to fool the victim into divulging the sensitive information.  

Analysis of the design and format of standard emails will also be part of the attacker’s research so the messages appear genuine, as well as the setting up of fraudulent domains. 

The spear-phishing process 

1. The cybercriminal identifies data they want – this could be financial records or lists of employee data, or could be a username and password. 
2. The individual who has this data is identified – research is conducted on an organisation or individuals, perhaps through company websites or social media. 
3. Information about this individual is researched – ways in which this person can be targeted and exploited are found out, this also includes those who they have a relationship with whose identity can be spoofed. 
4. The cybersecurity defences in place are identified – potential obstacles to the attackers aim are found out and vulnerabilities are searched for. 
5. The email to be sent to the victim is crafted – this will involve creating a fake email address and also often a fraudulent domain; the standard format used in email communication will be attempted to be replicated.  
6. The spear phisher convinces the victim to share the targeted data – this is then used to commit fraudulent and criminal activity. 

Ways to spot a spear-phishing attempt 

Spear-phishing attacks are more likely to appear genuine due the large amount of research that often goes into making them appear real. However, common characteristics of phishing emails are also true for spear-phishing attempts. 

• Urgency is a common trait of these forms of cyberattack – the victim is often told to do something urgently to try and make them panic and not spend time processing the information to know whether it could actually be fraud. The request will also typically be against company policy. 
• Errors in the email address – the attacker will attempt to make the address appear as genuine as possible (maybe just changing one character), but with closer inspection you will see the email address is fake. 
• Errors in information – although considerable research may have gone into the spear-phishing attempt, it can be hard to get this to be 100 percent accurate. If the email appears suspicious, check there is nothing inaccurate regarding the information you are being told. 
• Poor grammar or unfamiliar tone – this is very common with phishing attempts. Check to see if the grammar and spelling is worse than usual. Additionally, consider whether the tone of the email is unusual from its supposed sender. 

Protecting yourself from spear-phishing attacks 

• Refrain from clicking on suspicious links or attachments in emails. Is it unusual for these to be included in messages from this person? If so do not click on them without first taking time to consider the risks. 
• Consider the amount of personal information you share online. Information about you on social media is an easy source for potential spear-phishers to target you. Limit unnecessary sharing of sensitive information and utilise the privacy settings available on these sites. 
• Check using a different communication channel. If the request is unusual or if it requires the divulging of sensitive information, check with the sender via a different channel such as text or phone call to ensure you are being the victim of fraud. 
• Ensure security software is installed and up to date. This includes spam filters and antivirus software. 
• If you are a business, security awareness training for employees is crucial to avoid social engineering attacks such as spear-phishing. Social engineering attacks can not always be prevented by technological defences but instead knowledge of how to not fall victim to them through behavioural training. The training would include educating employees on how to spot spear-phishing attempts and the steps for reporting suspicious emails. 

With greater understanding and knowledge of cyberthreats such as spear-phishing, you can reduce the associated risks.