How many people can really identify phishing and spear phishing emails, much less understand the nuanced differences between them? The two threats are similar but different enough to represent two distinct modes of attack. As we like to say, hyper-awareness is the key to cyber vigilance.
Let’s start with the spelling. “Phishing” was coined by admirers of the “phone phreaks,” the notorious first generation of hackers who reigned during the 1960s-1970s. The phone phreaks inaugurated a long tradition of cyber warfare using a simple technique: blowing a toy whistle found in Cap’n Crunch cereal boxes into a phone receiver to mimic a Hertz tone, tricking the phone company’s switching circuit into giving the phone phreaks a free call.
This above technique might sound ridiculous to us today, but it was a hacking innovation at the time that exploited a vulnerability in call-routing switches that relied on in-band signaling and inspired a generation of phone phreaks.
Phishing involves a hacking technique that is the digital equivalent of “casting a net.” Specifically, phishing means sending emails that are designed to lure a user into clicking on a URL that leads to a web form on a landing page that impersonates a known brand, such as Microsoft. The web form is designed to harvest personal information like login credentials. Common phishing emails might say something along the lines of, “Your account is locked,” “Please update your password,” or “Please update your bank account information.”
In some cases, the counterfeit web forms are nearly impossible to distinguish from their real-life counterparts. The URLs themselves, however, can offer a clue to what lurks beneath the surface. For instance, a phishing URL purporting to be from Bank of America might direct you to a site with the domain name “www.bankofamericaincu.co” (The bank’s actual domain is www.bofa.com). Once there, you might share your login credentials, social security number, or other personal information with the criminals who set it up.
Phishing is also commonly employed to steal login credentials to cloud applications, such as Office 365. A phisher will send an email prompting a user to log in to their Office 365 account to regain access to the platform, retrieve a shared file, or update their account information. The user clicks on a URL that directs to a counterfeit Microsoft webpage, where their credentials are harvested, similar to the Bank of America example above.
Phishing in its generic form is a mass distribution exercise and involves the casting of a wide net. Phishing campaigns don’t target victims individually—they’re sent to hundreds, sometimes thousands, of recipients. Spear phishing, in contrast, is highly targeted and targets a single individual. Hackers do this by pretending to know you. It’s personal.
A spear phishing attacker is after something in particular. A common scheme is business email compromise, in which a cybercriminal poses as a senior employee with the power to request wire transfers (to fraudulent companies), direct deposit changes, or W2 information. To connect with you in a convincing way, the attacker may engage in social engineering to impersonate people you know, such as colleagues or business acquaintances. The attacker can accomplish this by researching you on the Internet and social media or getting information about you from data breaches using peer-to-peer (P2P) protocols like BitTorrent.
Consider the following spear phishing scenario: Your name is Bob and you work for Joe Smith, your company’s CEO. A spear phisher sees you on LinkedIn and notices that you’re friends with Joe. He follows you on Facebook and learns about your favorite sports teams and reads about a project you’re working on at the office.
The attacker then creates an email account under the name joesmith21@gmail.com. While real Joe is on vacation—information that the phisher has gleaned from Facebook—fake Joe sends you an email that says, “Ugh, Bob… I am on vacation, but I need a wire transfer of $100,000 to a contractor in China for our project. Please take care of it right away. Here are the wiring instructions.”
If you’re not paying close attention, you might complete the fund transfer. This is a form of business email compromise that happens more often than you might suspect. Even people who have been trained specifically not to do this tend to get nervous when the “CEO” is pressuring them to do something. After all, it’s Joe, not some stranger… or so you think. In some cases, the hacker will be more subtle, and the initial contact will be more of an exploratory exercise. "Are you in the office?" is a popular form of initial contact spear phishing used by many hackers.
Spear phishing attacks are at the heart of many of the most serious, and expensive, data breaches. In 2018, business email compromise cost US businesses $2.4 billion, according to the FBI’s 2021 Internet Crime Report, while phishing cost US victims more than $44 million.
Email filters can stop large-scale phishing emails that contain known phishing URLs. Similarly, if an email contains an attachment with a known signature, a traditional email filter will catch it. However, if a phishing URL is an unknown threat, or if you get a personalized email from Bob that contains no URL or attachment, they will invariably slide right through most filters.
Thus, phishing, and especially spear phishing, comprise a dangerous but highly effective attack vector. Defense is possible, however. Phishing awareness training, for example, can help users learn to spot a phishing or spear phishing email. In addition, solutions like Vade leverage artificial intelligence, including machine learning, to identify malicious emails, URLs, and attachments, as well as attempts to spoof the identity of colleagues and business acquaintances.