When is the last time you scrutinized an email? From the sender’s name to the subject line, time stamp, salutation, body, and signature? If you’re like most busy working people, the answer is probably “never.” Hackers know this, and that’s why spear phishing email attacks are so successful.
A spear phishing email serves one purpose: to defraud individuals and businesses out of money. They do this in several ways and with various schemes, from requesting victims to purchase gift cards, execute wire transfers, pay an invoice, or change bank account and routing information.
Beginning with impersonation and almost always culminating in an urgent request, a spear phishing attack is targeted, personal, and very often, financially devastating. When targeting SMBs, hackers request small transactions over the course of multiple attacks. This makes the attacks less likely to set off alarms and therefore increases the chances of success.
As difficult as it can be to identify a spear phishing email, there are some defining characteristics that each of them share:
Email senders are not always who they seem. This is thanks to email spoofing, a technique in which cybercriminals impersonate an email address. There are several ways to spoof email addresses.
A spoofed email address is step one in a successful spear phishing email. If a victim doesn’t look closely at the email address, or if the email address is an exact replica of a real address, the victim has already been lured.
Pay close attention to the subject line of your emails. Spear phishing attacks often include subject lines designed to cause the victim to react quickly, including flag words like “urgent” and “time sensitive.” When the email supposedly comes from a top executive or other powerful figure in the company, these flag words are especially motivating. This can cause the victim to ignore warning signs and delve immediately into the email to satisfy a superior.
Not all spear phishing attacks include pretexting, but sophisticated hackers are increasingly using this tactic to prime their victims. Pretexting is a form of social engineering in which a hacker converses with a victim over the course one or more emails to prime them for the attack.
It can also be used to identify the right victim. For example, the hacker might reach out to one user and ask if he or she has the resources to fulfill a request, such as executing a wire transfer, changing direct deposit information, or a making a large purchase. If the user responds that they cannot fulfill the request, the hacker will ask to be directed to the right person in the company.
As a general rule, any request that is financially related should scrutinized to ensure that the email is legitimate. If pretexting is part of the scheme, the body of the email will start out friendly and then ease into an eventual request. In the past, spear phishers cut right to the chase, urgently requesting a financial transaction. But like requests for large transactions, this sets off huge red flags, and they’ve learned from their mistakes.
Cybercriminals often make casual conversation based on information they’ve unearthed while researching the victim, such as “How was your vacation?” or “Congrats on the new promotion.” This adds a sense of familiarity to the conversation and helps to lower the victim’s guard.
After the initial conversation has been started, the spear phisher will make their request. There is almost always urgency associated with the request. This puts pressure on the victim and causes them to act quickly, without considering that the request might be illegitimate. Requests that purportedly come from a top executive put even more pressure on the victim to act. Fear of consequence and the desire to please are strong psychological motivators that cause victims to overlook red flags.
In the below example, a spear phisher posing as the CEO claims he needs to present gift cards to the company’s clients in an upcoming meeting, and he’s running out of time. Notice the flag words “purchase,” “quickly,” and “urgent.” Any of these terms coming from the CEO would make an employee act quickly. These terms are so common in spear phishing that Vade machine learning models are trained to spot these and other flag words while analyzing emails.
An accomplished spear phisher will use an email signature that matches that of the individual they are impersonating. When an exact match isn’t possible, they’ll add additional information to create a false sense of security. For example, if the cybercriminal can’t create an exact match email address and instead uses a Gmail or Yahoo email address, they’ll add a note in the signature saying the email was sent from a mobile phone or tablet. This makes it slightly easier to believe an executive would send a business email through a personal email address.
Mistakes are also more common when writing from a tablet or mobile phone, so spear phishers will add the “please forgive typos or brevity” in the signature. This makes it more believable that an executive would send a poorly worded email, which is a hallmark of amateur spear phishing.
Educating your customers about spear phishing is essential to protecting them from email threats. In addition to security awareness training, you should offer a solution that provides on-the-fly training when your customer’s users respond to spear phishing emails to ensure that they’re immediately aware of and learn from their mistake.
Today’s email security solutions have become more advanced when it comes to phishing attacks, but most are lacking at spear phishing protection. The nature of the attacks, including the absence of URLs and attachments, makes spear phishing emails extremely difficult to detect. Vade for Office 365 uses machine learning models to analyze the origin, content, and context of emails. Trained to identify email spoofing and abusive language and behaviors unique to spear phishing, the models are continually trained with new data to stay up-to-date on the latest threats.