During tax season two years ago, hackers duped payroll and human resources employees at more than 55 companies with emails that appeared to be from their CEOs or CFOs, requesting a copy of every employee’s W-2 form. The HR professionals, in response, sent the documents—which contained Social Security numbers, birthdates, and home mailing addresses—to cybercriminals.
This business email compromise was a spear-phishing attack, which differs from its more prevalent counterpart, phishing, in that it casts a smaller, more targeted net, says Troy Gill, manager of security research at antivirus specialist AppRiver.
“With phishing, an attacker would blast out millions of emails to a huge list of recipients and hope to get a 1 percent click-through rate,” he says. “Spear phishing is a much more customized attack that appears to be from someone you’re familiar with.” And it’s gaining momentum: Spear-phishing attacks increased 620 percent between February 2016 and February 2018, according to AppRiver research.
READ MORE ON PHISHING ATTACKS
How to avoid phishing scams
Parallax Primer: What’s in an APT
Your old router could be a hacking group’s APT pawn
How YubiKey could double-lock your online accounts
Why hackers love your Wi-Fi (and how to protect it)
In the W-2 example, hackers likely used open-source intelligence, such as Google or LinkedIn searches, to identify roles and relationships within target companies, says John Shier, senior security expert at Sophos, and then to spoof email addresses so they appear to be from a known sender. (Spoofed email addresses often include subtle differences from real ones, such as an L where an I normally is, Gill says.)
“These cybercriminals will look at the company’s website for information to find out who’s the director of human resources or accounts payable,” he says. “Then, armed with that information, they’ll plan their attack.”
Spear-phishing tactics tend to also be much more sophisticated than phishing attacks.
“If I’m impersonating the CFO, I might try to figure out when this person is on vacation, then send emails during this time period and hope that people in accounts payable think, ‘Oh, he’s on vacation; let’s take care of this request quickly,’” Shier says. “The next thing you know, I’m emailing you to say that we’ve switched providers, and we need to pay this new account. They take care of it, and suddenly I’m wired tens of thousands of dollars.”
Spear-phishing campaigns target individuals too. Cybercriminals might buy a database on the Dark Web that includes consumers’ names, email addresses, and subscription information, for example, and then email targets, using their first and last names, and pretending to represent the services they use.
“Spear phishing is very complicated to defend against because you let your guard down when you see that additional personal information,” Gill says. “You think, ‘If they know this much about me, then it must be legit.’”
So you open an attachment within the email, which prompts the downloading of malware. Or you click on a link within the email, which takes you to a page prompting you to log in. And when you enter your log-in credentials (or other sensitive information), you unwittingly give the spear phishers access to your actual account—and potentially much more.
In all iterations of spear phishing, the goal is to steal data. This data can range from an individual’s banking or credit card details to, in the case of an advanced persistent threat, a nation’s top-secret military operations.
Protecting against spear phishing
Because spear phishing uses social-engineering tactics to lure its victims, identifying these attacks and protecting against them can be quite challenging—but not impossible, Shier and Gill say. When wading through your inbox, each expert recommends doing the following:
Verify: If you receive an email from a mobile carrier alerting you of an unpaid bill, don’t click on an embedded link, Shier advises: “It could be a legit email, but it could also be from a cybercriminal who stole a database and knows you’re a customer.”
Separately log in to your account via a browser window or app instead, he suggests. Or call the company to verify the standing of your account. If it’s a fraudulent email, Shier says, your call will have the added benefit of alerting the company to an active spear-phishing campaign against it.
Consider context: Through sophisticated spear-phishing attacks, hackers can gain access to their targets’ email accounts. If you receive an email from the legitimate address of an existing contact, prompting you to open an attachment (or log into a service) to view a photo or slideshow, consider the context of your correspondence with the contact, Gill advises. And think twice.
Look for inconsistencies: Some spear-phishing emails may still contain the same hallmarks of typical phishing attacks, Shier and Gill say. Look for misspellings, as well as inconsistencies in corporate graphics and logos. And always hover over a link before you click it to ascertain its actual destination.
“Don’t feel bad, if you get duped,” Shier says. “I’ve seen some incredible examples of high-quality spear phishing out there. The good ones are almost indistinguishable from the real thing.”
If snared by a spear phisher, your response depends on the severity of the wound, Shier says. If you simply submitted your email address, for example, you probably just need to prepare to handle more spam, he says. If you entered a username and password, immediately change your password for that service—and any others for which you use it.
And, in the worst-case scenario, if you entered your credit card number or Social Security number, immediately contact your banks and credit card companies, he says, and consider a credit freeze.