Spear phishing is more dangerous than regular phishing. It is where cybercriminals target and impersonate specific people in your organisation. People are often unaware of how convincing spear phishing can be and are often fooled by it. In this blog post, we will talk more about what spear phishing is and what you can do in your organisation to increase your resilience against it.
By now, most of us know what phishing is. Even among less tech-savvy people, there is more awareness about the typical phishing email scams where cybercriminals, for example, pretend to be a bank or a Nigerian prince in need of your help. As a result, cybercriminals are employing even more nefarious methods and successfully fool many people.
One such technique is called spear phishing. Concretely, this means that instead of sending out one general phishing message to random people, cybercriminals target and customise their phishing messages for specific organisations. This can range from relatively low effort to very well researched and targeted phishing emails.
In some cases, cybercriminals research your organisation, its people, and the key relationships between them. Then, using all the information they have learnt, they design their phishing emails to mimic your organisation; they impersonate one of your colleagues; and they deliberately send this scam email to some selected people in the organisation.
The other, more common cases of spear phishingresemble ordinary phishing more closely. Still, they employ some tricks to increase their chances of tricking us.
For example, instead of impersonating a bank and sending out fake emails to everyone without knowing if they’re customers, a low-effort spear phishing attempt could find out which banks and suppliers your company has relations with. Then they could send out an email impersonating one of those banks stating that a recent payment to one of your company’s suppliers didn’t come through. Essentially, just mentioning those two familiar aspects would be enough for a lot of people to not suspect phishing anymore. By sending such an email to, for example, the whole finance department, the cybercriminals have a good chance of success.
While, by now, many will have heard of at least the very basic phishing examples, large amounts of people still fall for phishing. Unfortunately, it is even worse for spear phishing. Even people generally aware of phishing tend to let their guard down upon seeing an email with familiar corporate branding, or one sent by one of their co-workers.
Being aware of the classic phishing warning signs, such as language errors, an odd email address, or a wildly unusual request, is not as effective for detecting highly targeted spear phishing.
We know from our own experience that spear phishing can be very dangerous. From phishing simulations that we organise for our clients, where we send spear phishing emails to staff members as part of a phishing training program, we can see that around 44% of people click on links in emails that impersonate one of their co-workers. This click-rate drops to 21% for emails just impersonating the organisation, not a specific co-worker.
A recent report from the Danish Centre for Cyber security even found that 70% of untrained users tend to fall for spear phishing attacks. This is of course significantly higher than the results from our own simulations. That could however be explained due to the users knowing that they’re in a phishing training or because they’ve previously participated in awareness training, resulting in fewer users clicking on suspicious links. Nevertheless, even 21% is still a significant threat.
CyberPilot phishing simulation: Impersonating the organisation
CyberPilot phishing simulation: Impersonating a co-worker
Danish Centre for Cybersecurity
In practice, many of these scam emails might be caught by the spam filter. However, as with regular phishing, even just one person in the organisation clicking through can have disastrous consequences, ranging from monetary losses to severe data breaches. Considering this, even just 21%, or 1 in 5, is a dangerously high number.
Despite the high click-through numbers, many people still think they can undoubtedly distinguish fake from real emails when it comes to their own company. Even better, many people think cybercriminals simply cannot perfectly impersonate their company by email. However, cybercriminals can surprisingly easy get access to many things. Let’s say that for a highly targeted spear phishing scam, you would need:
All of these are easily found out. Names and job titles are often found on the company website or through social media (especially LinkedIn). For the other two points, simply emailing the organisation’s customer support does the trick. From the response, a cybercriminal can examine the email layout and design, and deduct how staff email addresses are structured (e.g., email@example.com). And yes, in extremely targeted cases, even these company email addresses can be spoofed, meaning that the criminal’s email address appears as an actual company email address, without any clever typos, even though they used another email address to send the scam message.
Cybercriminals might even go further and learn about specific events happening in the organisation.
One example: cybercriminals learn that one team member has their 25th anniversary at the company coming up. The criminals could then use the tricks we described above to send an email to that person, impersonating the company CEO, offering a gift card that can be found through a link in the email. The team member might not think twice about logging in with their company credentials, personally knowing and trusting the CEO for many years. The cybercriminals now have access to internal company systems.
Now keep in mind this is an extremely targeted example. Realistically, often a wider range of people, or simply the whole organisation is targeted. Still, this example illustrates the very real dangers of spear phishing.
Conclusively, a lot of responsibility lies with every single person in the organisation. And in the end, your organisation’s cyber security is only as strong as the weakest link, which in this case would be an unaware who accidentally, through no fault of their own (spear phishing can be very convincing after all), is tricked by cybercriminals.
Therefore, it should be a number one priority in any cyber security initiative to spread this knowledge to all people in the organisation. Staff should not only be aware of the usual tell-tale signs of phishing; ideally, they should examine every single email containing a request as if it were a phishing email. Checking the email address and the nature of the request should become routine for every person on the team.
In case of even the slightest suspicion, every single person in the organisation should know to immediately notify the IT manager or person responsible for IT security. When suspecting impersonation, it’s also best to personally contact the supposed sender of the email (in person or by phone) to check if it’s really them.
Achieving such behaviour in the team can be done in a variety of ways. Two comprehensive techniques, especially when combined, are awareness training and phishing training.
An awareness training programme could prove very useful in making people aware of all the different dangers associated with spear phishing and the techniques to recognise and avoid them.
Like with many things, however, practice makes perfect. This means organising some form of phishing training, where your team can apply the different techniques to figure it out themselves whether an email is legitimate or not, is the best way for them to learn how to deal with spear phishing.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.