As we mentioned in Cyberheist Snippet 1 and Cyberheist Snippet 2, we're working on a book here at KnowBe4.com, and it features Cyberheist as the first word in its title. Here's a third snippet from the book, this one taken from Chapter 7 "How ScamsTarget Victims: Spear Phishing, Whaling, and More." It defines a targeted scam technique called spear phishing that can be surprisingly successful when well-designed and carefully deployed.
Where general phishing attacks target populations with specific types of accounts, such as individuals with Yahoo! or Gmail email accounts, or individuals who bank at Wells Fargo or Citibank, spear phishing aims to collect information from within one specific organization or company. In these kinds of attacks, spear phishing messages may appear to originate from a large or well-known company or Web site on the order of eBay, PayPal, or LinkedIn. Sometimes in the most customized versions, messages that hit a user's inbox may appear to come from a co-worker or a member of the management team at the victim's own company.
Spear phishing attacks usually take advantage of publicly accessible company websites that offer contact information for employees, along with additional information about the target company or organization. Taking advantage of details available from news stories, press releases, newsletters, and other available information, the attacker crafts an email that appears to originate from someone inside the organization with a legitimate right to ask for confidential information. It might be an HR secretary, a system administrator, or a first- or second-level manager in a parallel organizational unit.
Spear phishers usually request usernames and passwords, or ask their victims to click a link that will install drive-by malware downloads on their PCs. Then if one employee falls for this ploy, the spear phisher can impersonate their victim and start working their way up the food chain at the target organization. Ultimately, the spear phisher will hit paydirt and obtain administrative passwords, bank account information, access to intellectual property, or other confidential data.
The occasional but dramatic successes in spear phishing result from the organizational knowledge and details that attackers use to make themselves appear both known and trustworthy. Information within the message looks legitimate and the request seems valid, so some recipients will fall for the ploy, and either provide the requested details or visit the phishing site and fall prey to drive-by downloads. That probably explains why spear phishing attacks often enjoy a higher success rate than the 1-in-5 ratio so common for more typical or general phishing attacks.
Where general phishing attacks target populations with specific types of accounts, such as individuals with Yahoo! or Gmail email accounts, or individuals who bank at Wells Fargo or Citibank, spear phishing aims to collect information from within one specific organization or company. In these kinds of attacks, spear phishing messages may appear to originate from a large or well-known company or Web site on the order of eBay, PayPal, or LinkedIn. Sometimes in the most customized versions, messages that hit a user's inbox may appear to come from a co-worker or a member of the management team at the victim's own company.
Spear phishing attacks usually take advantage of publicly accessible company websites that offer contact information for employees, along with additional information about the target company or organization. Taking advantage of details available from news stories, press releases, newsletters, and other available information, the attacker crafts an email that appears to originate from someone inside the organization with a legitimate right to ask for confidential information. It might be an HR secretary, a system administrator, or a first- or second-level manager in a parallel organizational unit.
Spear phishers usually request usernames and passwords, or ask their victims to click a link that will install drive-by malware downloads on their PCs. Then if one employee falls for this ploy, the spear phisher can impersonate their victim and start working their way up the food chain at the target organization. Ultimately, the spear phisher will hit paydirt and obtain administrative passwords, bank account information, access to intellectual property, or other confidential data.
The occasional but dramatic successes in spear phishing result from the organizational knowledge and details that attackers use to make themselves appear both known and trustworthy. Information within the message looks legitimate and the request seems valid, so some recipients will fall for the ploy, and either provide the requested details or visit the phishing site and fall prey to drive-by downloads. That probably explains why spear phishing attacks often enjoy a higher success rate than the 1-in-5 ratio so common for more typical or general phishing attacks.
Here's how it works:
