Spear Phishing: What you need to know

Andy Cormack this week looks at a disturbing trend in the hacking world: Spear Phishing. 

Following on from his recent Bulletin Guide to Phishing, he explores in more detail about this particularly nasty form of cyber attack, how it is carried out and what you can do to protect yourself and your assets.


Spear phishing is the latest twist on Phishing. The basics: it’s an attempt to gain personal information from a target for malicious purposes, typically sent by email, by pretending to be a legitimate individual or business that you know and would usually trust. These kinds of attacks focus largely on financial assets and information – credit cards, bank account numbers, login passwords, etc…and you should definitely know how to protect yourself from it.

Generally speaking, a successful Spear Phishing attack is achieved most commonly by acquiring personal details about the victim, friends, place of birth, current employer, regular places they may visit, and recent online purchases. Once this kind of information is obtained, the attackers then disguise themselves as someone that can be perceived as legitimate, such as  a company representative related to the recent purchases mentioned.  They then make contact with the victim, mostly via email or another digital messaging service. This is far and away the most successful attack vector for acquiring sensitive personal information from a target, due to its reliance on familiarity to breed carelessness, thereby bypassing initial distrust barriers that make cold emailing more difficult to garner success in comparison.  This type of attack is so successful in fact that it currently accounts for a incredible 91% of attacks.

The difference between plain Phishing and Spear Phishing

Spear phishing can be easily confused with the broader term of phishing, since they both have the same basic premise and end goals.  Phishing is a much broader term, however, that covers any form of attack to trick victims into divulging sensitive information. Attackers often disguise themselves as someone the victim can trust and get in contact across a broad range of contact options, from email and social media, to phones (termed “Vishing” or “Voice Phishing”), and text messages (termed “Smishing” or “SMS Phishing”).

The key differentiator between Phishing and Spear Phishing is that regular Phishing attacks are not targeted at specific victims, but instead usually cast a wide net on anyone they can trick into giving up information.  Think of it as casting a wide net and trawling for data, as opposed to the more specific targeting that Spear Phishing is named after, from hunting fish with a spear or harpoon and you’ll understand the metaphor. Phishing attacks typically send fake emails from heavily used, large companies or banks, casting a wide net all over the internet, relying on some percentage of those recipients clicking the link that tricks people into entering their details on a fake site that looks identical to the real one, or by downloading malware onto their computers.

Spear Phishing, on the other hand, is all about targeting specific individuals, altering the messaging to personalise the attack with their details, and for it to come from someone or some company they know, to make it seem more believable.

While spear phishing usually requires more time to create the right kind of attack due to the data collection on the victim leading up to the attack to make it personalised, that extra time spent on such a task results in a much more seemingly legitimate communication with the target, lowering chances that they will recognise that it isn’t what it appears to be and it’s this very fact that makes spear phishing so prevalent today.

Email from a “friend”

Spear phishing may sound deceptively simple and therefore still easy to detect, however these attacks have become so well crafted and increasingly clever in recent years that it has become extremely difficult to tell the difference without prior knowledge of how to protect yourself.

Attackers target people that have personal information out in the open on the internet, often trawling social media sites and viewing potential target’s (or ‘marks’ as they are known in the trade) profiles. They are looking for things such as the mark’s email address, location, friends list, and any posts they can find about recent purchases the target has made. Once this kind of information has been obtained, the attacker would then proceed to contact the victim as either someone on their friends list, potentially even a family member, or the company they ordered an expensive item from recently if they can identify where they bought it from.

To maximise the success rate of these attacks, the emails generally include wording to convey urgency in order to keep the victim off-balance while attempting to obtain the information they want. If it works, the victim will open an attachment or visit a fake website that matches an official counterpart’s as closely as possible to convincingly fool the target, which then leads them to input very personal data such as passwords, PINs, account numbers, and so on. For attacks that attempt to come from family or friends instead of a company, these emails typically try and go for usernames and passwords for sites such as Facebook with the goal of accessing photos for example.

If successful, having gained some form of potentially useful data such as a password, the attack will then attempt to use that password, or variations of it, to then try and access other sites with more valuable personal data on them such as bank account numbers. Once this collected data amounts to enough to proceed, the attacker then moves on to either accessing said bank accounts or creating entirely new identities using the victim’s information.

In the case of attachments that the victim opens, usually this results in software running locally on their machine that the attacker can then use to gain remote access to the mark’s computer, either passively or actively, so they can either observe a victim’s behaviour and potentially even see them viewing personal data that way.

The key to a Spear Phisher’s success is by preying on familiarity with the victim  After the initial data collection pass, they already have enough to make it seem convincing: name, email address, and probably some other small pieces of information about you that help them seem more credible. Greeting the target with their first name as opposed to a more formal Sir/Madam, for example, helps gain trust quicker and lower the victim’s guard to further manipulation.  Messages tend to reference a ‘mutual friend’ or a recent purchase that you’ve made to help further this. The urgency in the messaging is usually a key factor in throwing the victim off target, with them potentially acting without thinking, and by then it’s too late.

Using your web presence against you

The ways you become a target for a spear phisher vary wildly, typically from oversharing information you display in public on the internet, perhaps in the form similar to the example above about social media whereby the attacker finds your profile, picks out a contact email address, friends list, and a recent purchase you’ve been sharing with your friends from a popular online retailer. The attacker would then contact you, potentially posing as a friend on your social media’s friends list, asking for a password to access more of your photos and maybe add their own. If you then responded with the password, the attacker would then use that password, or variations of it, to attempt to gain access to the aforementioned online retailer and run up a bill buying things on there. The attacker might also pose as a customer service rep from that online retailer, asking you to reset your password or to verify your purchase by re-entering your payment information.

How to protect yourself and your business

For a business, it’s in their best interest to implement a data protection program, which would combine the education of staff about data security and Phishing scams, along with the addition of a data protection solution company-wide, to aid in the prevention of leaking sensitive data to the wrong individuals. The larger the company is, the more important this becomes, as there are more attack vectors and a bigger pot at stake.  Data loss prevention software should be installed in order to prevent sensitive information from getting into the hands of potential attackers, even if the attack succeeds at an employee level.

Keep your secrets, secret

To determine how insulated you are from attacks of this kind yourself, go check your data presence online. You might be surprised at what you can find. Name? Email? Friend’s names? Their email? Social media sites and their information privacy settings? Post privacy settings? Anything in your posts that you probably don’t want potential attackers to know? Posted something relatively personal publicly to another friend’s page? The key is to keep on top of complacency by never revealing information publicly that could potentially be used against you later. If you must post details that may be revealing, at least attempt to minimise the vectors for potential attack, by restricting the privacy settings for the post to the smallest pool of people possible.

Passwords that work

Next up let’s think about your passwords. If you have one easy password, or at least variations on that same password, in use across multiple sites then you probably need to make a change already.  An attacker’s first approach is typically to reuse or vary a password they’ve already managed to obtain, in order to access other sites. Each and every password for websites you have a login for should be different, not slightly different either, but significantly so, in order to prevent this kind of easy sidestepping from one account to another. The more variety and length you can introduce to your password the better, it doesn’t need to be incredibly obtuse or easily forgettable either, as illustrated by this popular web comic on the subject:

Also the pitfalls of password and variation reuse has been similarly illustrated below:

(Courtesy and copyright xkcd.com)

We’re not saying that this exact method is a perfect solution, but it does get you thinking about what can work better without being impossible to remember. As the quote on the comic says, “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”

Patches, updates, and security software

Modern software usually notifies users of updates, and whenever you get these you should definitely run these as soon as possible, especially integral parts of your day to day computer use, such as operating systems, web browsers, and the like.  These generally have security updates in them to patch flaws or exploits in their systems as they find them.

Something as seemingly minor as your name and email address could be all it takes for an attacker to get through a vulnerability in your system. Of course, it should go without saying at this point, that you should have internet security software running and for it to be kept up to date at all times. If your software provider notifies you of a pending update, get it sorted as soon as possible and wherever possible.  Enable automatic updates, so you stay up to date without having to check manually.

Be smart

If you get an email from a ‘friend’ asking for a password or some other personal information, check with that friend separately via another communication method in order to verify that it was really them contacting you. The same can apply for banks and other companies too.  They won’t ever ask you for login details, as they never require them from their end.

If you’re still having doubts and think the email could be real, call them up using a phone number that you know is real, gained directly from their site that you’ve typed in yourself (NOT a link from an email), or from a number you might already have stored in your phone from previous contact, enquiring about an email you received.  If nothing flags up at their end to say they’ve sent it to you, then you can probably assume that it’s a fake or erroneous email and should delete it straight away.  In the case of most banks or some other major companies, they provide an email address for their customers and associates to send suspicious mails to for both verification and logging in their system to help warn others.

In short

To reiterate: DO NOT click links in emails without heavily vetting its authenticity first. If, for example, the link comes from a bank’s email, open your web browser and visit the website by typing the address in yourself instead. Alternatively, if you use a web client for your emails, hovering your mouse over a link will show you the destination in the browser’s status bar at the bottom. If the URL doesn’t match the text displayed, or if the domain of the website is even slightly off, then there’s a high chance that it could be malicious in nature. Obfuscation of link destinations by having different text to the link’s actual destination is a common trick employed by attackers.

Make sure to always try to use common sense and logic when opening emails, and always be distrustful until proven otherwise; never give out personal data freely, no matter how legitimate it may seem on the surface. Real businesses do not ask for personal information, unless directly needing to do so based on interactions you’ve had with them, and even then they will not ask for things like passwords since they will never require that information from you.

Remember, never give up personal information online if you can avoid it, because you never know who’s watching and how they might potentially use it against you.

The Bulletin’s Guide to Phishing

Subscribe to the Starjammer Bulletin