Spear phishing: targeted attacks on your data

Criminals send thousands and thousands of phishing emails to obtain login credentials and passwords. But nowadays, the chances of a user falling for these phony messages are relatively slim. A newer form of this scam called spear phishing is much more targeted and therefore much more successful.

The basic idea of phishing is relatively simple: Fraudsters create fake emails, websites or even short messages that look authentic and trick users into sharing sensitive information. Criminals use the method to acquire login credentials for online shopping, social media or cloud storage services. In the worst case, they can even steal banking and credit card information. But the deceit goes even further: Fraudsters know that many users don’t take password security very seriously and use the same password for many different services. For example, a simple phishing website can be used to steal a range of sensitive information. This information is worth a lot of money on the digital black market.

Scammers also use this method to plant viruses and other malware on a victim’s computer and gain control of their devices. Victims often don’t notice this and believe they’ve opened a harmless email or visited a secure website.

If you’re paying attention and check URLs and sender addresses closely, you won’t fall for this trick: The malicious website isn’t actually on the server you think it’s on. You can learn to spot this with a little practice. But many people aren’t paying attention. Criminals boost their chances of success by working in bulk: spam emails cost virtually nothing to send.

Spear phishing is a much more targeted method where victims are selected very carefully and fraudulent messages are tailored specifically to the targeted individuals. These attacks are therefore mainly directed at companies and organizations. The criminals who use this phishing method are often different from conventional scammers. Instead of simply collecting any information and selling it to the highest bidder on the Dark Net, they target a specific victim in order to harm the individual’s company or organization. These hackers don’t simply steal bank account information, they engage in industrial espionage and cyberattacks on military targets or local infrastructure.

The scammers spy on their victims in advance and collect information that will make the fraudsters seem more trustworthy later. They then send an email tailored specifically to the organization. The email looks like it comes from someone in a position of authority or a fictional business partner. As a result, spear phishing is more likely to be successful in large, international corporations where not every employee knows the overall structure of the company. This leads victims to reveal sensitive information or download malware.

Let’s say a fraudster chooses to target an international corporation. First, the hacker will try to find out as much information as possible: How is the company structured? How do employees communicate? In which areas does the company operate? The hacker also needs email distribution lists to obtain email addresses. However, the attacker won’t send an email to the entire company. The risk would be too great that the attempted fraud would be detected quickly and the whole company would be warned about the attack.

Instead, the scammer sends the email only to selected people and addresses these individuals personally. The attacker has already collected detailed information about these employees via social media. That way the message will seem more trustworthy to victims. The attacker makes the email look like it was written by a high-up employee from another branch. The sender name and address are very easy to fake, so at first glance the recipient won’t know that someone else is actually sending the message.

The attacker embeds a button with a link in the email that directs the victim to a website that is also fake. The actual destination is disguised. Once the user has opened the website, malware can be loaded in the background. If the malware spreads to the victim’s PC, the hacker may be able to spy on the entire corporate network.

At this point, the victim still thinks they’ve opened a normal website to take part in a survey, for example. This allows the virus to spread unnoticed throughout the corporation’s network and gives the attacker full access or the ability to disrupt mission-critical processes.

The best way for you to protect yourself from spear phishing is through a healthy dose of skepticism. You can’t actually become a victim if you don’t click on unknown links or open unexpected file attachments. But the problem is that such attacks (unlike common phishing emails) are extremely well crafted. Normal spam emails are easy to catch because they’re full of misspellings and absurd claims, whereas spear phishing messages are much more sophisticated. They look trustworthy and genuine.

Spear phishing attacks prey on human weaknesses, primarily curiosity and fear. If you think you’re missing out on something or forgetting something important, you’re more likely to let down your guard and fall for the trick. Spear phishing messages often promise information that you could use to advance your career. Or they might contain instructions that seem so authoritative that you think you’ll face severe consequences by ignoring them.

Spear phishing won’t work unless the attacker finds enough information about the victim. Social media accounts are the first place hackers go to collect information. So it’s best not share too many details about yourself on these sites, let alone any information related to work. Scammers use social engineering to acquire more information about victims. Once again, it’s best to exercise caution. Never share sensitive information with people you don’t know, no matter how trustworthy they may seem.

You can also inspect the message to find out whether it’s legitimate. Take a closer look at the sender of the email. Although the name and the alleged sender address are spoofed, you can view the actual address in the email header. Many modern email clients such as Outlook hide the source in favor of a display name, but you can often easily display the header of an email. If you see that the source doesn’t match the information provided by the alleged sender, the email is most likely fraudulent.

Another security precaution is to block HTML and disallow the automatic loading of images in emails. This prevents malicious programs from reaching your computer as soon as you open the message.

Never open attachments from unknown senders. You first have to verify the identity of the sender. Even if the sender looks trustworthy, never open attachments from people with whom you’ve never communicated before. Even if you think you know the sender, don’t open attachments that you’re not expecting from that person. A known sender’s computer could already be infected with malware. When in doubt, contact the person who sent you the email.

Also pay attention to the Internet addresses behind links. You can see them before you click on the hyperlink. Attackers use URL spoofing in an attempt to make their domain look like a legitimate address. With a little care, you can easily spot this trick. If you see that an address has been shortened and thus disguised, restore it to its original form first or ignore it completely.