In a phishing attack, a cyber attacker leverages a trusted relationship to trick a victim into sharing personal information – usually through clicking a malicious link. A spear phishing attack is a targeted version of a phishing attack. Instead of blasting a huge database with a generalized scam, an attacker carefully profiles an intended victim, typically a high-value employee. They then tailor a message specifically for them, using information gathered online, and deliver malicious links or attachments. Often they pose as someone the victim trusts.
Historically, spear phishing attacks were generally confined to email. Increasingly, like all forms of digital risk, they are becoming a major problem on the third party cloud channels we all use in our daily lives – collaboration, messaging and social media apps. A spear phishing attack can be especially devastating when it is used as a delivery mechanism for other forms of cyber attack, resulting in parallel breaches.
Whaling is a highly targeted form of spear phishing, aimed at senior executives with access to the most sensitive sorts of information and data. The high value nature of the target victims is the only difference between spear phishing and whaling. When considering how to combat spear phishing vs. whaling, the security tactics are the same. The stakes are higher – a successful whaling attack is typically more damaging than a normal spear phishing attack – but the threat only differs in scale, not kind.
Phishing dates back to the mid-nineties. The first recorded phishing attacks were carried out by scammers who posed as AOL employees and sent emails to AOL subscribers, asking them to “verify” their account or “confirm” their billing information. Ever since then, phishers and anti-phishing technologies (chiefly email filters) have been locked in a war of attrition.
Email phishing remains a problem. However, over the years, individuals and businesses have increasingly gotten wise to phishing. People are much savvier at spotting spam than they used to be. Modern email filters are powerful.
Spear phishing developed explicitly to counter the declining effectiveness of phishing by introducing more sophisticated forms of imposture. By putting on a convincing and highly tailored digital mask, bad actors could reduce their phishing quantity but significantly increase its quality.
2010 to 2015
Between 2013 and 2015, an elaborate Lithuanian cyber-criminal named Evaldas Rimašauskas managed to fool both Google and Facebook into sending him a total of $123 million.
Rimašauskas masqueraded as a vendor to both tech companies and delivered well-crafted and convincing invoices. In 2015, the New York-based Ubiquiti Networks fell victim to a spear phishing attack. The fraudsters, impersonating the company’s CEO, invoiced the company's finance department and extracted $46.7 million into overseas accounts.
One of the most notorious spear phishing incidents of all was 2018's Operation Sharpshooter. An elaborate infiltration campaign attributed to North Korea’s Lazarus Group, the operation targeted 87 different firms. Spear phishing played a key role, as hackers posed as job recruiters to send weaponized Word documents (macros included in docs used an embedded shellcode to inject the Sharpshooter downloader into Word’s memory).
Today, spear phishing is an epidemic, and it is getting increasingly worse. In 2017, 76% of global businesses fell victim to spear phishing. The following year, that figure rose to 83%. In 2019, a massive 90% of organizations faced spear phishing attacks.
According to the FBI, in 2019, total US victim losses from phishing amounted to $57 million. This number is likely to be understated. Many companies understand the danger; current investments in spear phishing security solutions stand at $985 million. Projections based on recent market data suggest that spending will reach $1.94 billion by 2025.
Companies are concerned about spear phishing because of its evolving digital risk profile. Although spear phishing used to be chiefly an email problem, it is now much bigger than that. Spear phishing attacks have expanded to social, chat, and collaboration apps.
In 2019, Social attacks accounted for a quarter of all security breaches - with social phishing playing a prominent role.
In significant organization breaches, 50% of actions were social spear phishing.
In the information security sector, 50% of all social attacks are phishing.
In the finance sector, 84% of social attacks include phishing.
A 2019 report revealed that Facebook phishing URLs had increased by 175%.
Spear phishing as a cloud channel problem is on the rise for three key reasons:
1] Cloud channels such as Microsoft Teams, LinkedIn, and even WhatsApp are eclipsing emailas the preferred method of personal and professional communication. By the end of 2021, two out of three businesses are expected to adopt team collaboration apps. Bad actors know that this is where their targets live and work and are directing their attention here.
2] However, these channels are vulnerable. Email security is a $3 billion industry; by contrast, although the new generation of cloud channels has burst into prominence, associated security solutions lag behind. Most security teams have no tools developed specifically to protect their cloud channels, which live outside the traditional security perimeter. They are vulnerable – and bad actors know it. Today enterprises need a platform that can extend their compliance and security policies into all aspects of these channels--even if you monitor posts, for example, the links and attachments that change hands in people’s direct message streams may escape attention. It’s simply beyond human ability to monitor all these channels--only machine learning and artificial intelligence can detect and surface the entirety of the new attack surface.
3] Even without the COVID-19 pandemic, the shift toward WFH (work-from-home) protocols was well underway. A turbulent 2020 accelerated this trend; according to a Gartner survey, 74% of CFOs will be shifting employees to remote work permanently. However, home offices are inherently less secure than traditional offices.
Hence Q1 of 2020 saw spear phishers launch over 100,000 attacks against remote workers. Home offices are rife with VPN issues, and legacy routers, PCs, a remote environment is a complex challenge, and it is easy for vulnerabilities to creep in.
Spear phishing attacks succeed over email for various reasons:
- They are carefully tailored and personalized to bypass spam filters
- They are sent through services with impressive reputation scores
- Malicious links or attachments are not included directly within the email itself
- Sometimes, compromised but genuine email accounts are used to send the phishing emails
Over third party cloud channels, spear phishing attacks succeed because these channels live outside the traditional network perimeter, lack dedicated protections, and are leveraged in vulnerable WFH scenarios.
Simple ways to guard against a social spear phishing attack include:
- Smarter Password Protection. It’s old news by now, but all employees should be using Two-Factor Authentication (2FA). According to Microsoft, activating 2FA successfully blocks 99.9% of automated attacks.
- Constant Security Software Updates. You don’t want to use outdated security software. Missing patches and late updates can lead to vulnerabilities in the system which hackers can explore and exploit.
- Train Your Staff on Spear Phishing Detection and Security. If possible, staff should be trained on how to recognize potential spear phishing messages.
However, proper protection against social spear phishing requires cloud-based protection, which can stop attacks at the application level and stop them moving laterally into endpoints and networks. Thwarting spear phishers requires a digital risk protection platform that provides:
Total Visibility: Security teams need to be able to discover and onboard all authorized accounts for protection. They need the power to inspect messages for malicious content, track all new connection requests, and archive account activity for future reference.
Advanced Threat Detection: Channels need to be monitored around the clock for suspicious activity and messaging. All files, attachments and links must be automatically scanned by a DRP platform, and connections should be evaluated for known or potential bad actors.
Incident Response: Detection needs to be followed with action. Malware must be quarantined in real time at the level of the application, and IOC notification details should be sent to SOC/SIEM for evaluation. Social attacks need to be correlated with EDR.