A new, HUGE, very important, fact has been gleaned by Barracuda Networks, which should impact the way that EVERYONE does security awareness training. Everyone needs to know about this fact and react accordingly.
This is that fact: "...spear phishing attacks that use personalized messages...make up only 0.1% of all email-based attacks according to Barracuda’s data but are responsible for 66% of all breaches.”
Let that sink in for a moment.
What Exactly Is Spear Phishing? Spear phishing is when a social engineering attacker uses personal or confidential information they have learned about a potential victim or organization in order to more readily fool the victim into performing a harmful action. Within that definition, spear phishing can be accomplished in thousands of different ways, ranging from basic attacks to more advanced, longer-range attacks.
Spear Phishing Examples
The average traditional spear phishing scam occurs when the attacker learns about some new confidential news or project within an organization and then uses that information to craft a new phishing email that uses the supposedly confidential information to gain trust in the new potential victim. Or the spear phishing attacker learns of some otherwise internal names and/or relationships to craft a spear phishing email with a pitch that communicates to the victim they have legitimately earned insider knowledge or relationships.
For example, a spear phishing email may state something like, “I was talking to Brian in IT Sec and he said I had to get up with you to get my Salesforce account opened.” Or “Sheila in HR said you were the person I had to go to get that way overdue list of employee social security numbers we have to send to Kronos for processing.”
Another basic spear phishing scam is an attacker learning of a new merger and then using the merger transition period to pose as someone involved in the merger. Since the merger partners are often learning of new people, processes, and third parties that are involved, what’s one more new person introducing themselves?
Spear phishing attacks are growing ever more sophisticated. For example, many attackers look into already compromised victim email Inboxes or Sent Item folders for useful email conversations (known as threads) which can be leveraged to fool an involved external recipient into reading a new fraudulent email purporting to be involved in the thread and motivate them into following the attacker’s requested (malicious) actions.
Because the email comes from a previously trusted partner, using the partner’s real email address, using a previously used legitimate email subject, it’s easier to get the trusted recipient to do a new action. For example, “Hey Bob, check out this report. It seems to exactly support what we were saying would happen on the Apple news.” It can be very difficult for new potential victims to figure out they are being pitched a new social engineering scam.
While traditional mass phishing attacks work by motivating potential victims to do something right away, spear phishing attacks often play the long game. For example, a spear phisher may take control over a trading partner’s email that the intended target regularly pays money for products or services rendered. The attacker learns from looking through the original compromised victim’s email who the accounts payable person is on the other side.
Then they use the original compromised victim’s email to send that accounts payable person a new email (hidden from the original compromised victim) indicating that they are getting a new bank and to look out for their new banking accounts payable information when it is sent in a few weeks. They may begin the first phishing email with something like this, “Hey, just want to give you a heads up that we are getting a new bank in few weeks.
The current bank’s fees are just getting too high, so senior management went out and selected a new bank. I’ll be sending the new banking details in two weeks when I have the new info. I don’t like the new bank any more than the old bank and I hate having to update all our systems and vendors, but what can you do??”
Then the attacker simply waits two weeks and sends the new (malicious) banking information in a follow-up spear phishing email. The receiving accounts payable person has no reason to believe the request coming from their normal business partner is fraudulent and updates the accounts payable details as requested. Then the attacker creates a new fake invoice or just waits for the next legitimate invoice to be sent and waits for the money to appear in their bank account. When this happens, it can be months before anyone complains about the bills not being paid before someone figures out a spear phishing scam has been going on.
Many spear phishing scams start by abusing personal relationships outside the scope of normal business.
For example, a spear phishing attacker may learn that their victim has a particular hobby, say trout fishing, from the victim’s public social media postings, and then sends a message to the victim about their shared love of fishing. Since it’s the victim’s loved hobby and the sender isn’t asking for anything suspicious, the victim is more likely to open up the unexpected message and engage with the sender. After just even a few short emails, the potential victim may begin to trust the sender more than they should, and this misplaced trust is then used by the attacker to commit a scam later on.
In the personal world, spear phishing attacks can be financially devastating. Romance scams are a good example of that. The romance scammer meets a potential victim online, learns about the victim’s interests and needs, and then turns the earned trust into a fake romance of supposedly heightened love. The victim’s love for the scammer is then used to extort financial payments and gifts. Sometimes the fake romance is used to lure victims into fake investment scams where they lose tens to hundreds of thousands of dollars. “Pig butchering” scams, where a potential romance is turned into a huge cryptocurrency scam rip-off, are quite popular these days.
Spear phishing email scams are far more difficult to detect than regular non-spear phishing emails, and they make up a disproportionate amount of the successful social engineering breaches (66%). If you do the math, because social engineering, in general, is involved in 70% to 90% of overall successful breaches, that means appropriately mitigating the threat of spear phishing would decrease your cybersecurity risk by 46% to 59%. Mitigating one thing would result in a big decrease in risk That’s HUGE!
How to Defend
You must use your best defense-in-depth combination of policies, technical defenses, and training to prevent social engineering attacks. You have to educate everyone about the huge threat that spear phishing attacks are in the first place, and how stopping them is the most important defense they can provide to themselves and the organization.
Share with your co-workers many examples of common spear phishing attacks. KnowBe4’s educational modules contain hundreds of examples. Then use spear phishing-like simulated phishing tests, which include personal and confidential information, to test co-workers. Don’t let the real scammers be the only ones that are spear phishing your co-workers.
Teach co-workers to be suspicious of any new request arriving asking them to perform potentially dangerous actions even if that request comes from a trusted source or appears to have insider information. Phishing sophistication has moved on from the early days where strange email addresses and typos were the primary indicators of a phishing attack. Create a healthy culture of skepticism, where every coworker confirms any unexpected request using a known legitimate method before performing the action. The key is to let your co-workers know what spear phishing is, how it differs from traditional mass audience phishing, and how to detect, report, and defeat it.
For years we’ve been helping you to better mitigate all social engineering attacks. Now we’re going to instruct you to concentrate on spear phishing attacks with increased intensity. Whether or not your organization gets successful phished or not will likely come down to how well you put down spear phishing attacks.