Skip to main content

Spear Phishing

Just a few years ago, most phishing scams worked on the same principal as large trawling ships: cast a very wide net, and see what you pull in. Emails purporting to be from the nation’s biggest financial institutions were sent to millions of random email addresses on the assumption that some percentage of them would be customers of that bank and would be tricked into providing the financial information the hackers were after.

Soon, however, both consumers and spam filters got wiser. Most of us know that our banks and credit card issuers will never send us an email requesting personal or account information. And our email spam filters know it too: most email software filters are able to identify and remove simple phishing attacks like these.

But the hackers’ tactics are evolving, and trawling with wide nets is being replaced by trolling with carefully baited lines, sometimes with lures like a fly-fisherman’s, carefully designed to attract one very specific type of fish.

These “spear phishing” attacks exploit known relationships to target a specific group of people with a more devious and convincing request for information or access.

Spear Phishing Attacks Specific Targets

A spear phishing attack might go after employees of a company with an email that looks like an internal communication or something from a vendor with an established relationship to the company. Or, an attack may focus on the members of a club, parents of children attending a particular school, or even just people with something notable in common, like senior executives at large corporations.

Whatever the group, the spear phishing attack leverages information the criminals have already obtained to create a message precisely designed to get around spam filters and fool the people receiving them. These sophisticated emails appear nothing like those generic phishing emails we’ve all learned to recognize and discard.

They may even personalize the emails with the intended victim’s name, title, and other details—often readily available from public sources like company websites, professional associations, or social/professional networking profiles. This personalization, like the pretense of a trusted relationship, is designed to trick the recipient into opening the email.

“Drive By Downloads” Make the Scams More Dangerous

Simpler phishing scams often depended on their victims to supply the information the fraudsters were after, asking them to click a link in the email that would take them to a Web page where they could enter the “required” information.

In a spear phishing attack, the objective is likely to be just to get you to take some action that downloads “malware” onto your PC without your knowledge. The malware will then deliver sensitive information like IDs and passwords back to the hacker over time.

In one 2008 spear phishing attack, about 20,000 senior executives at major corporations were targeted with personalized emails purporting to be a federal grand jury subpoena. If they followed the official-looking email’s instructions to install a browser add-on to read the details of the subpoena, identity-stealing code was downloaded onto their PCs. They were never asked to provide any sensitive information.

Spam Filters Aren’t Effective Against Spear Phishing

Unfortunately, you’re likely to be on your own in identifying a spear phishing attack. The security consulting firm PacketFocus recently released the results of spear phishing experiment. Researchers sent phony emails to participants in the experiment, with an invitation from “Bill Gates” to join his network on the professional networking site LinkedIn. To the researchers’ surprise, the fake requests made it through the recipients’ spam filters every single time.

How Can You Protect Yourself?

Luckily, the same tactics you use to protect yourself from regular phishing attacks apply to spear phishing too. Don’t trust emails claiming to be from any organization you have a relationship with that ask you to provide sensitive information.

If you think the request might be legitimate, type the URL you know into your web browser or call the organization at a number you already have rather than clicking a link or calling a number in the email. And, don’t open attachments or download files unless you’re confident of the source.

via Spear Phishing

Print Friendly, PDF & Email


Comments are closed.