Not all phishing is created equal. Social engineering attacks, of which spear phishing is a subset, use a variety of methods and tactics for landing their catch. Spear phishing involves the very specific tailoring of phishing attacks to known individuals or organizations.
What is Spear Phishing
If an average phishing attack relies on chumming the waters (or email inboxes) with lots of bait in the hope of generating a few bites, spear phishing is the equivalent of Captain Ahab chasing his white whale across the Seven Seas.
This highly-targeted version of a phishing attack uses many of the same methods, but is typically backed by more research, expertise, and persistence. The thinking goes that, by targeting a specific individual or company, a more detailed attack will lead to a greater chance of success and the attacker reaping greater rewards.
Phishing vs Spear Phishing vs Whaling
While Phishing, Spear Phishing, and Whaling all share core characteristics, they differ widely in scope and the amount of specific information they include.
Phishing attacks, for example, cast as wide a net as possible by leveraging impersonal details that apply to broad populations. These were historically low-effort, low-success attacks characterize by amateurish spelling mistakes, poorly spoofed company templates, and downright outlandish claims. It must be mentioned, however, that phishing attacks are getting harder to spot and easier to produce.
As mentioned previously, spear phishing attacks are more targeted versions of phishing attacks. The additional research and attention they require means they are typically delivered at a lower volume. They are more likely to claim to come from a partner organization or place the target frequents rather than from a widely used service like Apple, Google, or Amazon.
Whaling is the term used for a specific type of spear phishing attack. Again characterized by high preparation and low delivery volume, whaling attacks target high-level decision makers, often at the C-level or above. For a social engineering attack to be considered whaling, it would need to include a specific recipient's name, title, and other contact details. These attempts also often display some awareness of actual business happenings within an organization for increased legitimacy.
How Spear Phishing Works
Because these attacks are thoughtfully designed and narrowly tailored to the target, they often rely on publicly available information, much of which can be found on social media sites like Facebook, Twitter, or LinkedIn. Using details gathered on these sites, cybercriminals can use email addresses, social contacts, geographic location, and information gleaned from public posts to lend credibility to their message.
It's important to note that, in addition to email and over the phone, spear phishing attacks are often delivered via social media. They can come from strangers offering a plausible reason to connect, or through DMs delivered by the hacked accounts of trusted senders.
The Characteristics of a Spear Phishing Attack
Spear phishing attacks are usually delivered with a sense of urgency and include a call to action to increase the chances a target will provide information without taking the time to think critically about the message or its sender.
Common examples of these attacks include:
Fake Better Business Bureau complaints encouraging you to “Click here to respond or contest this complaint.”
Fake internal communications from your company’s legal department urging you to “Click on this link to view the litigation PDF.”
Fake communications from the restaurants you frequent or charities you support asking you to “Fill out this document” in return for a gift card or other compensation.
Remember: the presence of a few pieces of plausible information should not be enough to get you to let your guard down. On the contrary, uncommon requests containing specific information should immediately arouse suspicion.
Examples of Spear Phishing Attacks
Phishing of all kinds continues to grow. In fact, as of September 2019, the Webroot team had discovered 1.5 million unique phishing URLs just this year. That said, below are three major attacks that made news over the years.
Hacking the LASC
In July 2019, a Texas man was sentenced to more than 12 months in prison and to pay nearly $50,000 in restitution for successfully hacking a Los Angeles Superior Court (LASC) computer system through a spear phishing campaign. In 2017, he had used a spoofed Dropbox email to solicit account credentials for the court system, gaining access to LASC servers and sending millions of additional phishing emails from accounts he had compromised.
A $46.7 Million Transfer
One of the most daring and costly spear phishing attacks targeted the San Jose-based tech firm Ubiquiti Networks. Cybercriminals took the company for $46.7 million by impersonating an employee and convincing the company to initiate an overseas wire transfer.
Phishing for the Big One
Omaha-based commodities trader was taken by a famous whaling attack for $17.2 million after an executive believed he had received orders from the company’s CEO to transfer the money to a Chinese bank. The scammer had done his homework, with many of the details in the fraudulent requests closely mirroring actual circumstances within the company at the time.
Spear Phishing Prevention
Many of the same best practices for spotting phishing attacks can be applied to these more targetted attacks. This means looking for signs like:
Attachments that require a macro after opening—this is the most common method for gaining access to any systems you have access to
High-pressure or pushy language to take an immediate action
Uncommon or out-of-the-blue requests you might expect to be delivered in person, at a meeting, or to involve a group of decision makers
Links that, when hovered over with a cursor, are not recognizable or do not correlate to the ask within the email or message
In addition to arming every device with effective antivirus protection, security awareness education is one of the most effective means of combatting all forms of social engineering attacks. After all, your company’s biggest vulnerability is the employees within it.
Keeping security top of mind through policy and best practices is also recommended. Employees should be encouraged to use two-factor authentication (2FA) whenever possible and to navigate directly to sites when changes are requested, rather than handling them in an email.
Ultimately though, only testing in as close to real-world scenarios as possible will provide the fullest picture of how well-equipped an organization is to combat phishing threats. Phishing simulators and educational classed allow companies to measure and improve their social engineering security posture. They also give you a detailed road map of your organization’s security gaps before you’re breached.
But while security awareness is a powerful prevention tool, it’s only one aspect of a comprehensive security strategy. The truth is, spear phishing is becoming more prevalent, in part, because it works.