Attackers are constantly coming up with new ways to get people to fall for their scams. As our detection efforts increase, they pivot and try new attacks. These scams are no longer run by individuals, they are big businesses and are treated as such. Attackers will have business meetings about how to best scam people out of their money.
Just like when you are fishing, you cast your line into the water and hope that the fish bite. The attackers who are phishing are also just casting a line (ie sending out a massive email) and hoping that some of the people will bite.
The phishing emails you get have generic information saying your account has been compromised or thanking you for your subscription renewal, or any other number of ways they try to get you to respond. These emails are sent to hundreds of thousands of people at the same time and have no identifiable information in them.
The phishing emails don’t call you by your name, or give you any specific details about your particular account. Their hope is that you will call the number in the email, or click the link and just hand over your personal information. Whether that is a username and password, your credit card information, your banking info, or just about anything else they are looking to gather from you.
Phishing attacks can take many forms and have an OK success rate. The more convincing emails have little to no grammatical errors and cause your heart to race thinking that you need to act right away. My general rule of thumb is that if you think you need to act immediately on an email, you should wait at least 10 minutes so you can think about it first.
Just like a phishing attack is similar to actual fishing, spear phishing attacks are similar to actual spearfishing. When you are spearfishing you will target a specific fish, instead of dropping a line and waiting for the fish to come to you. A spear-phishing attack is a highly targeted attack against an individual person. Typically, the attacker will use social engineering to perpetrate their attack.
Social engineering occurs when the attacker uses information that is publicly available to bring credibility to the attack. This can be from social media profiles or even information left in public areas like in office buildings.
Here is an example of how social engineering can give credibility to a spear phishing attack. First, the attacker will look at a company’s LinkedIn page to view all of the employees. They use that information to find out who you, your boss, and your co-workers are. Next, they will create a Gmail account with your boss’ name. They send you an email from “your boss” to your work email. This email will explain away why you are getting it from their “personal” account and ask you to do something extremely urgent. Typically this will be something like purchasing gift cards or changing financial information if you have access to that kind of data. The email will likely also reference a co-worker’s name to give even more credibility to the attack.
As you can see, this attack can only be sent to a single individual. These names would not work to attack someone else. So it is highly targeted and directed at an individual. The thought is that “Who would take the time to learn all of this information, just to send a scam email?”. Unfortunately, the additional time it takes to target an individual gives the attacker a much higher return on their time investment. These types of attacks are extremely successful because it catches you off guard.
Another type of spear-phishing attack can happen on the phone. Once my grandma received a phone call from my “brother” saying he was in jail and needed money. I have also heard of this attack as a car accident. My grandma was just about on her way out the door to send the money, when she called my sister-in-law just to see how everything was going. My sweet grandma didn’t want to rat out my brother for being in jail, so she was just acting very strangely. My sister-in-law called my brother and told him to call his grandma because something was weird.
Once my brother called my grandma they got it squared away, but wow! They knew my brother’s name, who his grandma was, and more. That is a highly targeted and almost successful attack.
Just like in a regular phishing attack, if something is asking you to react right away, give it a bit of time for you to calm down and think clearly. Verify the request through other means. If they email you, text your boss to confirm the request. If they call you, send them an email to an account you know. No one will be mad about you confirming a request.
You can also protect yourself from a spear phishing attack by limiting the data you put out publicly. Don’t fill out questionnaires on social media about your senior year in high school, full of password reset answers. Make information like where you work, private on your social media profiles. Never use information that is easily researched as password reset answers either. I typically make up password reset answers. I have a name that I use as my Dad’s middle name that isn’t his actual middle name, and things like that help to keep my passwords safe.
Lastly, ALWAYS enable 2 Factor Authentication on any accounts that will allow you to. This can save you from yourself if you happen to fall for a very convincing Phishing or Spear Phishing attack.