In a phishing attack, a cyber attacker leverages a trusted relationship to trick a victim into sharing personal information – usually through clicking a malicious link. A spear phishing attack is a targeted version of a phishing attack. Instead of blasting a huge database with a generalized scam, an attacker carefully profiles an intended victim, typically a high-value employee. They then tailor a message specifically for them, using information gathered online, and deliver malicious links or attachments. 

Historically, spear phishing attacks were generally confined to email. Increasingly, like all forms of digital risk, they are a major problem on the third party cloud channels we all use in our daily lives – collaboration, messaging and social apps. A spear phishing attack can be especially devastating when it is used as a delivery mechanism for other forms of cyber attack, resulting in parallel breaches.
SGC - Pillar Page Graphics_graphic 1

Whaling is a highly targeted form of spear-phishing, aimed at senior executives with access to the most sensitive sorts of information and data. The high value nature of the target victims is the only difference between spear phishing and whaling. When considering how to combat spear phishing vs. whaling, the security tactics are the same. The stakes are higher – a successful whaling attack is typically more damaging than a normal spear phishing attack – but the threat only differs in scale, not kind.

Phishing dates back to the mid-nineties. The first recorded phishing attacks were carried out by scammers who posed as AOL employees and sent emails to AOL subscribers, asking them to “verify” their account or “confirm” their billing information. Ever since then, phishers and anti-phishing technologies (chiefly email filters) have been locked in a war of attrition.
 
Old-fashioned Ransomware attacks in the form of phishing remains a problem. However, over the years, individuals and businesses have increasingly got wise to phishing. People are much savvier at spotting spam than they used to be. Modern email filters are powerful. 
 
Spear phishing developed specifically to counter the declining effectiveness of phishing by introducing more sophisticated forms of imposture. By putting on a convincing and highly tailored digital mask, bad actors could reduce the quantity of their phishing, but significantly up its quality.
 
New call-to-action
 
 
The 2010s saw numerous high-profile instances of successful spear phishing. Between 2013 and 2015, a Lithuanian cyber-criminal named Evaldas Rimašauskas managed to fool both Google and Facebook into sending him a total of $123 million. Rimašauskas masqueraded as a vendor to both tech companies and delivered well-crafted and convincing invoices. In 2015, the New York-based Ubiquiti Networks fell victim to a spear phishing attack. The fraudsters, impersonating the company’s CEO, invoiced the company's finance department and extracted $46.7 million into overseas accounts.
 
One of the most notorious spear phishing incidents of all was 2018’s Operation Sharpshooter. An elaborate infiltration campaign attributed to North Korea’s Lazarus Group, the operation targeted 87 different firms. Spear phishing played a key role, as hackers posed as job recruiters to send weaponized Word documents (macros included in docs used an embedded shellcode to inject the Sharpshooter downloader into Word’s memory).
 
Today, spear phishing is an epidemic, and it is getting increasingly worse.  In 2017, 76% of global businesses fell victim to spear phishing. The following year, that figure rose to 83%. In 2019, a massive 90% of organizations faced spear phishing attacks.
According to the FBI, in 2019, total US victim losses from phishing amounted to $57 million. This number is likely to be understated, though. Many companies understand the danger; current investments on spear phishing security solutions stands at $985 million. Projections based on recent market data suggest that spending will reach $1.94 billion by 2025.

Companies are concerned about spear phishing and whaling because of its evolving digital risk profile. Although spear phishing used to be chiefly an email problem, it is now much bigger than that. Spear phishing attacks have expanded to social, chat, and collaboration apps.

 



  • In 2019, social attacks accounted for a quarter of all security breaches – with social phishing playing a prominent role.
  • In large organization breaches, 50% of actions were social phishing.
  • In the information security sector, 50% of all social attacks are phishing. 
  • In the finance sector, 84% of social attacks include phishing.
  • A 2019 report revealed that Facebook phishing URLs had increased by over 175%.
safeguarding social and collab

 

 

Spear phishing as a cloud channel problem is on the rise for three key reasons:

  • Cloud channels such as Microsoft Teams, LinkedIn, and even WhatsApp are eclipsing email as the preferred method of personal and professional communication. By the end of 2021, two out of three businesses are expected to adopt team collaboration apps. Bad actors know that this is where their targets live and work, and are directing their attention here. 
  • However, these channels are vulnerable. Email security is a $3 billion industry; by contrast, although the new generation of cloud channels have burst into prominence, associated security solutions are lagging behind. Most security teams have no tools developed specifically to protect their cloud channels, which live outside the traditional security perimeter. They are vulnerable to social engineering attacks – and bad actors know it.
  • Even without the COVID-19 pandemic, the shift toward WFH (work-from-home) protocols was well underway. A turbulent 2020 accelerated this trend; according to a Gartner survey, 74% of CFOs will be shifting employees to remote work permanently. However, home offices are inherently less secure than traditional offices. (Hence Q1 of 2020 saw spear phishers launch over 100,000 attacks against remote workers.) Home offices are rife with VPN issues, and legacy routers, PCs, and IOT devices. Safeguarding the future of work in a highly distributed remote environment is a complex challenge, and it is easy for vulnerabilities to creep in.
Spear phishing attacks succeed over email for various reasons:
  • They are carefully tailored and personalized to bypass spam filters
  • They are sent through services with impressive reputations scores
  • Malicious links or attachments are not included directly within the email itself
  • Sometimes, comprised but genuine email accounts are used to send the phishing emails

 


 

Over third party cloud channels, spear phishing attacks succeed because these channels live outside the traditional network perimeter, lack dedicated protections, and are leveraged in vulnerable WFH scenarios. 
 
For both spear phishing and whaling, effective tactics of protection are:
  • Smarter Password Protection. It’s old news by now, but all employees should be using 2FA (Two-Factor Authentication). According to Microsoft, activating 2FA successfully blocks 99.9% of automated attacks.
  • Constant Security Software Updates. You don't want to use outdated security software. Missing patches and late updates can lead to vulnerabilities in the system which hackers can explore and exploit.
  • Train Your Staff on Spear Phishing Detection and Security. If possible, staff should be trained on how to recognize potential spear phishing messages. 
SGC - Pillar Page Graphics_end2
However, proper protection against both spear phishing and whaling requires cloud-based protection, which can stop attacks at the application level and stop them moving laterally into endpoints and networks. Thwarting spear phishers requires a digital risk protection platform that provides:
  • Enhanced Visibility
    Security teams need to be able to discover and onboard all authorized accounts for protection. They need the power to inspect messages for malicious content, track all new connection requests, and archive account activity for future reference.
  • Threat Detection
    Channels need to be monitored around the clock for suspicious activity and messaging. All files, attachments and links must be automatically scanned by a DRP platform, and connections should be evaluated for known or potential bad actors.
  • Incident Response
    Detection needs to be followed with action. Malware must be quarantined in real time at the level of the application, and IOC notification details should be sent to SOC/SIEM for evaluation. Social attacks need to be correlated with EDR.

 

New call-to-action

Blog: Phishing Attacks Are What Percentage of Cyber Attacks?