Hackers are becoming increasingly adept at creating links and landing pages that trick users into giving up their sensitive personal or organizational data. While many of these attacks are targeted at the masses, a growing number of them are crafted to deceive specific users through personalized techniques.
You’ve likely heard the term ‘phishing,’ and if you keep up with tech trends, you know it’s a growing problem. According to Wandera’s Mobile Threat Landscape: 2019, 57% of organizations have experienced a mobile phishing incident.
Spear phishing takes digital deception a step further. Hackers looking to extract information from specific individuals or organizations will create personalized, duplicitous links that appear to be from trusted sources. Sometimes spear phishing tactics will resemble other forms of mass phishing, such as a text message claiming to be from PayPal requesting that you update your account details. Sometimes it’s in the form of an email that appears to be from a bank but is actually a ‘spoofed’ message from a hacker.
There’s a wide range of information hackers can gain through this approach, ranging from individual banking details to highly sensitive corporate data or even classified government secrets. Like other forms of phishing, the attack relies on a user voluntarily providing sensitive information, but spear phishing links tend to be even more advanced in terms of their design and messaging. While these types of attacks can take longer for hackers to develop, successful attacks can yield massive payouts.
Why are spear phishing attacks on the rise?
While there are other serious forms of cyber attacks, such as mobile malware, Apple and Google are taking several steps to enhance the security of their devices. As a result, hackers are turning to social engineering techniques and taking the time to research their targets’ behavior so they can exploit their weaknesses with convincing attacks.
As mobile devices now account for more total web traffic than desktops, hackers are increasingly using device-centric scams that leverage popular apps. While traditional phishing techniques tend to cast a wide net in the hope that some users will take the bait, spear phishing functions somewhat similarly to personalized marketing. Only instead of a legitimate business trying to sell you a product or service through a personally tailored approach, it’s a hacker trying to steal your information, or money, through a personally tailored approach.
Whaling is a form of spear phishing where an attacker makes a targeted attempt to steal sensitive corporate information, such as financial information or personal details about employees. The key differentiator for whaling attacks is that they are specifically targeted at C-suite executives and senior managers who hold power within their organizations and have high levels of authority and access.
Like other forms of spear phishing, whaling is a more complex process for attackers because it usually involves more time in gathering details on their targets and crafting messages that appear to be legitimate. However, due to the high-profile nature of targets, hence the name ‘whaling,’ attackers can extract highly valuable information and digital assets through successful whaling strikes.
BEC, or business email compromise, is similar to whaling in that it typically involves targeting senior enterprise leaders, but the intended outcome is a bit different. Rather than directly trying to hack an individual’s account through spear phishing, BEC involves sending emails that appear to be from a high-ranking corporate official, such as a CEO or CFO, to the inboxes of their subordinates. These scams are frequently referred to as ‘CEO fraud,’ and they rely on the psychological response of victims who feel the need to respond to their boss, or their boss’ boss (and so on), in a timely manner. When successful, BEC attacks can result in anything from massive data leaks to actual monetary transfers.
Some BEC scammers are familiar with the finance sector and know how to exploit typical workflows that could lead to large-scale corporate theft.
Real-world examples of spear phishing
Spear phishing occurs every day, but some cases are more impactful than others. Here are a few noteworthy examples:
- In 2016, 100 million spear phishing emails were sent to Amazon customers who had recently placed orders. The emails looked like legitimate Amazon order confirmation emails, but instead of messages, they only included an attachment. Opening the attachment ultimately led to the installation of Locky ransomware, for some unfortunate users.
- Ubiquiti Networks Inc lost $46.7 million in June 2015 because of a spear phishing email. The fund transfers were performed directly by Ubiquiti employees who were tricked into thinking they were receiving legitimate requests from executives via spoofed email addresses and convincing domains.
- In 2018, a U.K./Nigerian cybergang with U.S. conspirators obtained a list of more than 50,000 corporate officials to target in future BEC campaigns using spear phishing tactics.
- According to Wandera’s Mobile Threat Landscape: 2019, mobile users are 18 times more likely to click on a phishing link than they are to encounter mobile malware.
- According to Verizon’s Data Breach Investigations Report, 30% of phishing messages are opened by targeted users and 12% of those users click on the malicious attachment or link.
- According to Deloitte, a third of consumers said they would stop dealing with a business following a cybersecurity breach, even if they do not suffer a material loss.
- The FBI estimated that BEC due to spear phishing cost businesses over $12 billion between December 2016 and May 2018.
How can I avoid spear phishing attacks?
As always, the best way to avoid attacks of this nature is to keep yourself and your employees educated on the latest scams and techniques. The more you stay in the know, the better equipped you’ll be to stay vigilant. Here’s a link for helpful tips to avoid phishing attacks.
And for spear phishing, here are a few additional things to keep in mind:
- Start with prevention: limit how frequently you give out your phone number online, as well as your personal and work email addresses, especially if you’re a high-ranking company official. It’s often useful to set up a ‘dummy’ email account for instances where you suspect you’ll get spammed when a website asks you to provide an email address to create an account or gain access to information.
- If you receive a message from someone you know or work with but you have doubts that it’s really from them, find another way of contacting that person and ask if it was really from them. If it turns out to be a legitimate message, no harm done. And if they question you, send them a link to this article – your sense of vigilance might help in that next quarterly review.
No matter how much time a business spends educating its employees about these types of threats, some attacks are bound to slip through the cracks. For enterprises, leaving employees as your only line of defense is almost a guaranteed way to leave your business vulnerable. Get in touch with one of our experts to learn how Wandera’s mobile security solutions can keep your people and information safe by stopping threats at the source.