Keeping yourself safe online is a constant struggle that requires staying one step ahead of cybercriminals. Spear phishing is one of the latest ways to make spoofed emails seem more legitimate. The right training and tools are the only way to prevent your business from falling victim to these sophisticated attacks.
TeamPassword makes it easy to keep your accounts safe from cybercriminals. Don’t believe us? Sign up for a 14-day free trial today and try for yourself.
[Table of Contents]
What is phishing?
Here is a simple definition of phishing.
Phishing definition: Phishing is a type of cyberattack that uses seemingly legitimate emails, SMS messages, or social media posts to convince people to share sensitive login information, either directly or via a spoofed login page.
What is spear phishing?
Here is a simple definition of spear phishing
Spear phishing definition: Spear phishing is a targeted version of the standard phishing attack, where a specific individual or group is targeted using personal information to make the message seem more legitimate and urgent.
Similar to how many brute force attacks use personalized dictionaries, spear phishing is a way to improve the likelihood of a targeted victim falling prey to a phishing attack.
Phishing and spear phishing are both considered social engineering, which is when an attacker convinces the victim that they are somebody else. A common example of a social engineering attack is when a person impersonating a bank official calls someone in an attempt to get them to divulge their username and password.
Phishing vs spear phishing: What’s the difference
Spear phishing is really just an upgraded, personalized version of phishing. A phishing attack might be sending a text message to every phone number in New York State saying they are from Chase Bank and you need to login immediately due to suspicious activity with a link to a spoofed Chase Bank homepage.
Conversely, a phishing attack might be sending a message to every employee of a small startup that looks like it is coming from the CEO to check their login details for some software that they know the company uses.
Other phishing variants
There are a few other variants of phishing. In the biggest, most sophisticated attacks, these tactics are often combined. Here are two other common phishing variants.
Whaling definition: Whaling is when a phishing attack targets a high-value individual, for example the CEO or CFO, with the goal of a maximum payday. It’s a play on the word phishing as whales are big “fish.”
Vishing definition: Vishing is similar to a phishing attack, only it uses phone calls instead of emails to pull off the deception. Phishing is often the first step in a vishing attack, where the names and positions of several individuals are uncovered so they can be used to fool IT professionals with a vishing phone call.
Spear phishing tactics
Spear phishers use many different tactics to convince prospective victims that the message is legitimate. Here are some common spear phishing strategies:
Security alerts: The spear phisher sends a text message saying there is suspicious activity in an account. Credit card numbers often have a set starting sequence according to the bank issuing the card, so stating “your card starting 9999” makes the message seem more legitimate.
Customer complaints: If you’ve recently written a negative review about a utility company or bank online, then spear phishers may have scraped that data to use it as part of a cyber attack. They can then pose as the customer service department of that entity in hopes of tricking you into providing sensitive information.
Impersonation: Instead of posing as a bank or other organization, some spear phishing attacks include impersonating a specific person. Common examples include posing as the CEO or CFO of your employer, or as your grandchild.
Spear phishing examples
The news is littered with famous and sophisticated companies falling victim to spear phishing and vishing attacks. Here are some of the biggest events of the last decade.
About 10 years ago, the SecureID product by RSA was compromised with a spear phishing attack. This attack involved circulating an Excel file via company emails that had embedded code. According to Symantec, even in 2023, Office files are increasingly being used for phishing attacks.
In 2015, Ubiquiti lost $46.7 million in a spear phishing attack. The billionaire CEO, Robert Pera, was targeted in this whaling effort. In this case, impersonation by an outside entity allowed the fraudsters to steal about 10% of the company’s cash reserves. The missing money wasn’t even noticed until the FBI informed them of the potential attack.
In one of the most recent major cyber attacks, on September 11th, 2023, MGM and several other casinos were brought offline by ransomware attacks. Phishing and social media made it possible for the hackers to gather enough information to impersonate employees. They then used a vishing tactic to get IT to reset password accounts, gaining entry into the computer system.
Caesars, another Las Vegas casino, was one of the other victims of this widespread attack. Unlike MGM, they decided to pay “millions” to the ransomware-as-a-service hackers. MGM, meanwhile, spent 10 days unable to operate their business, losing untold millions in revenue.
It’s not just businesses that are being threatened by spear phishing attacks. Government infrastructure is also threatened. Schools are becoming a particularly popular target. They tend to have technical debt that makes them soft targets as well as staff who are often less trained on different cyberthreats than those working in tech.
Spear phishing statistics
Spam accounts for about 48% of all email sent, representing 3.4 billion emails per day. Over a fifth of that is from Russia, and they are mostly sent with phishing in mind. If you haven’t trained your staff to detect potentially threatening emails, then it's only a matter of time before they open one.
Half of all social engineering attacks include emails, and about three quarters of all attacks involve social engineering. Overall, in 2022, about a quarter of all attacks targeting American companies were ransomware.
According to Symantec, 65% of all cyber attacks involve phishing. Furthermore, the rise of crypto has made ransomware attacks harder to circumvent, prevent, or prosecute.
Often, the only recourse is payment. According to IBM, the average cost of a data breach is nearly $5 million.
While phishing and spear phishing are traditionally done by email and more recently SMS, social media has also become a major source of fraud. This is especially true for Linkedin. The information individuals provide publicly about their employer, position, and location make it far easier for spear phishers and vishers to believably impersonate members of staff.
How do you prevent spear phishing attacks?
The fact is that your business is receiving spear phishing emails everyday. Therefore, the first line of defense has to be training. Whenever you open an email, check the address of the sender.
For example, official Bank of America email addresses will end “@bofa.com” and not “@bankzofamerica.something.in”. Next, before clicking on a link you can actually hover over the link with your mouse to see the destination. Does it match the expectation? If not, it’s probably a spoofed login page.
If you think the email is legitimate, then there are further steps you can take. For example, if the email is warning you that an account is compromised, instead of clicking through the email to the website, type it in separately and navigate to your account.
If it is apparently an urgent and unexpected email from your coworker, send them a Slack message to confirm. If you do intend to call them, open up your HR software to get their number instead of using the one in the email.
Use TeamPassword to prevent spear phishing attacks
TeamPassword can help you stay safe from the threat of spear phishing attacks. By creating and securely storing unique, random, and strong passwords for each account, they are off limits to those trying to steal your information. This makes it harder for bad actors to get your personal information, which leads to their phishing attempts seeming less legitimate.
Furthermore, TeamPassword allows you to share credentials with coworkers. That way you know that anyone looking for a username or password is probably spam and can be safely ignored.
TeamPassword can protect your important accounts for spear phishers. Don’t believe us? Sign up for a 14-day free trial today and try for yourself.