Spear Phishing:
Phishing, Supercharged

Executive Summary

What is cyber spear phishing? In a phishing attack, a cyber attacker leverages a trusted relationship to trick a victim into sharing personal information – usually through clicking a malicious link. A spear phishing attack is a targeted version of a phishing attack. Instead of blasting a huge database with a generalized scam, an attacker carefully profiles an intended victim, typically a high-value employee. They then tailor a message specifically for them, using information gathered online, and deliver malicious links or attachments. Often they pose as someone the victim trusts.

Mid-90's

Phishing dates back to the mid-nineties. The first recorded phishing attacks were carried out by scammers who posed as AOL employees and emailed AOL subscribers, asking them to “verify” their account or “confirm” their billing information. Since then, phishers and anti-phishing technologies (chiefly email filters) have been locked in a war of attrition.

Email phishing remains a problem. However, individuals and businesses have increasingly gotten wise to phishing over the years. People are much savvier at spotting spam than they used to be. Modern email filters are powerful.

Spear phishing was developed explicitly to counter the declining effectiveness of phishing by introducing more sophisticated forms of imposture. By putting on a convincing and highly tailored digital mask, bad actors could reduce their phishing quantity but significantly increase its quality.

2010 to 2015

Between 2013 and 2015, an elaborate Lithuanian cyber-criminal named Evaldas Rimašauskas fooled both Google and Facebook into sending him $123 million.

Rimašauskas masqueraded as a vendor to both tech companies and delivered well-crafted and convincing invoices. In 2015, the New York-based Ubiquiti Networks fell victim to a spear phishing attack. The fraudsters, impersonating the company’s CEO, invoiced the company's finance department and extracted $46.7 million into overseas accounts.

2018

One of the most notorious spear phishing incidents of all was 2018's Operation Sharpshooter. An elaborate infiltration campaign attributed to North Korea’s Lazarus Group, the operation targeted 87 different firms. Spear phishing played a key role, as hackers posed as job recruiters to send weaponized Word documents (macros included in docs used an embedded shellcode to inject the Sharpshooter downloader into Word’s memory).

2019-2020

As the COVID-19 pandemic spread worldwide, cybercriminals took advantage of the situation by preying on vulnerable individuals and organizations. Spear phishing was one of those favored tactics.

At the start of 2020, researchers observed an alarming rise in COVID-19-related spear phishing attacks. In particular, between March 1 and 23 of that year, detections jumped 667% to 467,825 – with 9,116 being linked directly to coronavirus concerns. February saw significantly fewer such occurrences (1,188), while January had a mere 137 cases reported.

2021-2022

In Q1 of 2022, The Anti-Phishing Working Group (APWG) recorded an alarming 1 million phishing attacks. This included a sharp increase - from 8.5% to 12.5%, between Q4 2021 and Q1 2022. Specifically, social media platforms were the top targets, and  spear phishing is the main vector for attack for 65% of these.

Today

Today, spear phishing is an epidemic, and it is getting increasingly worse. According to Norton, though it may not be clear how many businesses are threatened by spear phishing daily, about 88% of organizations face spear phishing attempts yearly.

Many companies understand the danger; investments in spear phishing security solutions are $985 million. Projections based on recent market data suggest that spending will reach $1.94 billion by 2025.

Companies are concerned about spear phishing because of its evolving digital risk profile. Although spear phishing used to be chiefly an email problem, it is now much bigger than that. Spear phishing attacks have expanded to social, chat, and collaboration apps. Social attacks accounted for a quarter of all security breaches - with social phishing playing a prominent role.

• In significant organization breaches, 50% of actions were social spear phishing.

• In the information security sector, 50% of all social attacks are phishing.

• In the finance sector, 84% of social attacks include phishing.

An October 2022 study analyzed billions of link-based URLs, attachments, and natural language messages sent through email, mobile devices, and web browsers. It discovered that cybersecurity threats had spiked significantly within six months, with 61% more attacks reported in October 2022, compared to 2021. A total of 255 million phishing activities have been identified over six months.

Spear phishing as a cloud channel problem is on the rise for three key reasons:

1] Cloud channels such as Microsoft Teams, LinkedIn, and even WhatsApp are eclipsing email as the preferred method of personal and professional communication. By the end of 2021, two out of three businesses are expected to adopt team collaboration apps. Bad actors know this is where their targets live and work and are directing their attention here.

2] However, these channels are vulnerable. Email security is a $3 billion industry; by contrast, although the new generation of cloud channels has burst into prominence, associated security solutions lag behind. Most security teams have no tools developed specifically to protect their cloud channels, which live outside the traditional security perimeter. They are vulnerable – and bad actors know it. Today enterprises need a platform that can extend their compliance and security policies into all aspects of these channels--even if you monitor posts, for example, the links and attachments that change hands in people’s direct message streams may escape attention. It’s simply beyond human ability to monitor all these channels--only machine learning and artificial intelligence can detect and surface the entirety of the new attack surface.

3] Even without the COVID-19 pandemic, the shift toward WFH (work-from-home) protocols was well underway. A turbulent 2020 accelerated this trend; according to a Gartner survey, 74% of CFOs will be shifting employees to remote work permanently. However, home offices are inherently less secure than traditional offices.

Hence Q1 of 2020 saw spear phishers launch over 100,000 attacks against remote workers. Home offices are rife with VPN issues, and legacy routers, PCs, a remote environment is a complex challenge, and it is easy for vulnerabilities to creep in.

Spear phishing attacks succeed over email for various reasons:

• They are carefully tailored and personalized to bypass spam filters

• They are sent through services with impressive reputation scores

• Malicious links or attachments are not included directly within the email itself

• Sometimes, compromised but genuine email accounts are used to send the phishing emails

Over third-party cloud channels, spear phishing attacks succeed because these channels live outside the traditional network perimeter, lack dedicated protections, and are leveraged in vulnerable WFH scenarios.

What can companies do to protect themselves from spear phishing? Simple ways to guard against a social spear phishing attack include:

• Smarter Password Protection. It’s old news by now, but all employees should be using Two-Factor Authentication (2FA). According to Microsoft, activating 2FA successfully blocks 99.9% of automated attacks.

• Constant Security Software Updates. You don’t want to use outdated security software. Missing patches and late updates can lead to vulnerabilities in the system which hackers can explore and exploit.

• Train Your Staff on Spear Phishing Detection and Security. If possible, staff should be trained on how to recognize potential spear phishing messages.

However, proper protection against social spear phishing requires cloud-based protection, which can stop attacks at the application level and stop them from moving laterally into endpoints and networks. Thwarting spear phishers requires a cybersecurity platform that provides:

• Total Visibility: Security teams need to be able to discover and onboard all authorized accounts for protection. They need the power to inspect messages for malicious content, track all new connection requests, and archive account activity for future reference.

• Advanced Threat Detection: Channels must be monitored around the clock for suspicious activity and messaging. An XDR platform must automatically scan all files, attachments, and links, and connections should be evaluated for known or potential bad actors.

• Channel Coverage & Cross-Channel Event Correlation: Businesses need to detect spear phishing attempts, including sophisticated attack campaigns across email and other business channels for collaboration, chat, conferencing, social media, and mobile chat.

• Multilingual NLU: Organizations need solutions that auto-detect at least 50 languages to enable universal coverage that spans geographic markets.

• NLU maturity: Cybersecurity platforms with NLU and ML experience develop and provide accurate, scalable analytics for security and compliance.

• Incident Response: Detection needs to be followed with action. Malware must be quarantined in real-time at the application level, and IOC notification details should be sent to SOC/SIEM for evaluation. Social attacks need to be correlated with EDR.

Organizations can detect and nullify spear phishing attacks before they become an issue with the right solution. The SafeGuard Cyber platform can keep pace with the scale and velocity of modern business communications with our patented Natural Language Understanding engine that analyzes context and intent across 30+ communication and collaboration platforms. Detect and correlate risk events across channels, disrupt attacks earlier, and quicken MTTD and investigation time. Ensure spear phishing protection across your full suite of communication channels.