Spear phishing is an email spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. Spear phishing attempts are not typically initiated by random hackers, but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.
As with emails used in regular phishing attacks, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or website with a broad membership base, such as Google or PayPal. In the case of spear phishing, however, the apparent source of the email is likely to be an individual within the recipient's own company -- generally, someone in a position of authority -- or from someone the target knows personally.
Visiting United States Military Academy professor and National Security Agency official Aaron Ferguson called it the "colonel effect." To illustrate his point, Ferguson sent out a message to 500 cadets, asking them to click a link to verify grades. Ferguson's message appeared to come from a Col. Robert Melville of West Point. Over 80% of recipients clicked the link in the message. In response, they received a notification that they'd been spoofed and a warning that their behavior could have resulted in downloads of spyware, Trojan horses and/or other malware.
Many enterprise employees are taught to be suspicious of unexpected requests for confidential information and will not divulge personal data in response to emails or click on links in messages unless they are positive about the source. The success of spear phishing depends upon three things: The apparent source must appear to be a known and trusted individual; there is information within the message that supports its validity; and the request the individual makes seems to have a logical basis.
How does spear phishing work?
This familiarity is what makes spear phishing attacks successful. Attackers collect information from social media about potential targets, including their personal and professional relationships and other personal details. The attacker uses this information to craft a personalized message that looks and sounds authentic to convince the target to respond to the sender’s request. The sender may request that the user reply directly to the email, or the message may include a malicious link or attachment that installs malware on the target's device, or directs the target to a malicious website that is set up to trick them into giving sensitive information like passwords, account information or credit card information.
Spear phishing characteristics
Spear phishing can be more difficult to identify than phishing attacks due to the personal details that give the messages an air of validity. However, some of the characteristics that are common to phishing emails are also common to spear phishing emails:
- The sender’s email address is spoofed. The email address looks like it’s from a trusted individual and/or domain, but closer inspection reveals a typographical error or the exchange of one alphanumeric character for another that closely resembles it (such as the letter “I” replaced with the number one).
- A sense of urgency, particularly as it relates to performing a task that goes against company policy. Attackers evoke a sense of urgency to exploit the recipient’s desire to do good or to simply be helpful. For example, posing as the target’s direct supervisor, an attacker may ask for the username and password for an internal application so that they can fulfill a critical request from upper management in a timely manner, rather than wait for IT to reset their password.
- Poor grammar, typographical errors or unlikely language within the body of the message. The body of the email does not sound like other messages from the supposed sender. Perhaps the tone is too informal or the jargon is incorrect for the recipient’s geographic location or industry.
Spear phishing vs. phishing vs. whaling
Spear phishing has the same goal as normal phishing, but spear phishing attacks are more targeted in nature. While phishing emails are sent to a large group of people, spear phishing emails are sent to a select group or an individual. By limiting the targets, it's easier to include personal information -- like the target's first name or job title -- and make the malicious emails seem more trustworthy.
The same personalized technique is used in whaling attacks. A whaling attack is a spear-phishing attack directed specifically at high-profile targets like C-level executives, politicians and celebrities. Whaling attacks are also customized to the target and use the same social engineering, email spoofing and content spoofing methods to access sensitive data.
Examples of successful attacks
In one version of a successful spear phishing attack, the perpetrator finds a webpage for their target organization that supplies contact information for the company. Using available details to make the message seem authentic, the perpetrator drafts an email to an employee on the contact page that appears to come from an individual who might reasonably request confidential information, such as a network administrator. The email asks the employee to log into a bogus page that requests the employee's username and password, or click on a link that will download spyware or other malicious programming. If a single employee falls for the spear phisher's ploy, the attacker can masquerade as that individual and use social engineering techniques to gain further access to sensitive data.
In 2015, independent security researcher and journalist Brian Krebs reported that Ubiquiti Networks Inc. lost $46.7 million in a data breach to hackers who started the attack with a spear phishing campaign. The hackers were able to impersonate communications from executive management at the networking firm and performed unauthorized international wire transfers.
Tips to avoid a spear phishing attack
It’s difficult to completely avoid becoming a target of a spear phishing attack, but email users can make it more difficult for attackers to execute a successful attack by doing the following:
- Limit the amount of personal information you share on social media and other websites.
- Do not click on links in emails. Identify suspicious links by hovering your cursor over them to ensure that the URL matches the link’s anchor text and the email’s stated destination.
- Contact the associate, friend or business purporting to send the message (by a separate communications channel) to confirm the request.
Spear phishing defense
Spear phishing attacks -- and whaling attacks -- are often harder to detect than regular phishing attacks because they are so focused.
In an enterprise, security awareness training for employees and executives alike can help reduce the likelihood of a user falling for spear phishing emails. This training typically educates enterprise users on how to spot phishing emails based on suspicious email domains or links enclosed in the message, as well as the wording of the messages and the information that may be requested in the email. Everyone should also be aware of the process for reporting suspicious emails to the IT security team.
Security teams can create and present their own training materials, or purchase training materials from vendors. The most effective security awareness training includes simulated spear phishing attacks that allow users to practice their threat detection skills in the normal course of their workday. Security teams can also measure the effectiveness of training based on the results of these tests.