With phishing being annoyingly prevalent these days, many businesses are starting to take notice of the variety of forms they come in. This is especially the case for spear phishing, but how does this attack actually work?
Spear phishing is far from shiny and new, and nor is it's approach to social engineering via electronic means, but many businesses still don't fully understand the simple, yet deadly, process of these targeted scams. In this blog, we will discuss the steps taken by a cyber criminal to succeed in a spear phishing attack.
Step 1: Penetrate (Bait)
The most effective attacks can come in the simplest of forms. By simply mimicking the normal day to day activities that occur in the victim's role within the business, the attacker hopes for an impulsive ill decision. A prime example of an impulsive decision made takes us back to 2013. The famous Nigerian Prince phishing email that fooled thousands and still does to this day. This style of email is notoriously common and yet so simple, it requires the victim to send money to the cyber criminal and in return, they will be “reimbursed” over time.
There has been a rapid increase in personalised attacks that are becoming extremely difficult to spot, especially for employees who lack security awareness. When employees don’t receive cyber security training they are more susceptible to open any form of phishing emails, even the most common types.
Step 2: Observe (Hook)
This is where the attacker will monitor the account and will keep an eye on the email traffic to learn about the organisation in depth. Whilst the attacker gets to know the organisation this helps the attack to be tailored to the organisation, making it as realistic as possible. Learning the traffic allows the hacker to determine who has access to what information, such as HR and financial records. This knowledge is then leveraged for the final step of the attack. Sometimes, cyber criminals will even set up forwarding rules so they don’t have to monitor the account like a hawk.
Cyber criminals can be very patient people. The more information they gather from an organisation, the more likely that the attack will be successful. One of the simplest things employees can do to protect themselves is with Multi-Factor Authentication. This is essential, having a single password for an account is not enough as it makes it even easier for a criminal to gain access to it. If Multi-Factor Authentication was enabled as the attacker would need to have the two or even three forms of authentication to gain full access. Multi-factor authentication can institute many different methods such as SMS code, key fobs, phone calls or even a thumbprint.
Step 3: The Attack (Catch)
This is where the attacker gets creative. From all of the information they have on an organisation, they will use this to personalise a phishing email. But first, they have to decide what the goal of the phishing email is. There are numerous goal types of phishing emails. Some common ones are: identity theft, blackmail, to steal a database of customer credit card details or sometimes just for fun.
So, the victim has clicked on the link or opened the attachment - what happens now?
The best thing you can do is be prepared. The cyber criminal now knows you fell victim to their attack, and nothing is stopping them from fooling you again, right? Incorrect, if you follow a few procedures you and your business can stop it from happening again.
Where to start? It’s quite simple really, the first thing you need to do is understand the threat. You need to acknowledge that there are too many motives out there and they are armed and waiting for you. Begin with asking yourself with what motivates someone to attack your business? Is it the information you possess, could it be beneficial to competitors or is it just very valuable? As a business owner or an executive you are already a target due to your position, there is a specific term for targeting executives, instead of spear phishing, it is termed ‘whaling’. Once the threat has been understood you can move onto the next step.
Your employees- Simply start by educating your end users, this can be done with a security awareness training program, that has bitesize modules these will keep your employees more engaged as well as maintaining the information better. Another great way to educate your employee is to phish them again, run a simulated phishing campaign, it allows you to test your employees as well as gaining an insight into which employees fell for the phishing attack. You can run more than one phishing campaign to keep track if your employees are making progress in spotting a phishing email.