Spear phishing is such a common attack that many in IT security think of it as something that is familiar to everyone. While we may expect all business email users to be aware of what spear phishing is, the reality is that many users have not been trained on it, and some may not even be aware of this threat and how it works. If you're about to deploy some email security training in the workplace, it may help you to provide some basic instruction on email security threats. In this post, we will do that with spear phishing.
Spear Phishing: Top Threats and Trends
What is spear phishing?
The Barracuda glossary reference defines spear phishing as “a personalized phishing attack that targets a specific organization or individual.” There are multiple types of spear phishing attacks, but there are certain characteristics that define them as spear phishing:
Personalization: Unlike mass phishing “spray-and-pray” attacks that send the same (or very similar) emails to thousands of people, the spear phishing attack is targeted to a specific victim. The victim is researched and the email message is crafted specifically for that individual. This process could be as simple as a criminal looking at the corporate website to get the names and roles of the employees, and then sending something like this:
Dear [staff member name] Are you in the office today? Can you take care of an invoice for me? [executive name]
The personalization can be made more effective with additional more research behind it. Perhaps the criminal discovers that the targeted company uses Google for email.Gmail. Now the criminal can create an email template that looks like it comes from Gmail Google, and send every employee a message that looks like this:
Dear [staff member name] Your Gmail account has been compromised. Log in [with this link] to update your information immediately.
The link in the email would take the victim to a phishing website that is designed to look like a Gmail login page, but in reality, is controlled by the attacker:
By logging in to this site, the victim unknowingly provides login credentials to the attacker.
Urgency: Spear phishing attacks normally have a sense of urgency attached to the message. You can see this at work in the above example where the victim is told to log in ‘immediately' to stop an attacker. This sense of urgency is designed to get the victim to react quickly and emotionally rather than to set the message aside for a while.
Criminals use a variety of tools to learn about the victims so they can manipulate them into performing some action. While international law enforcement agencies continue their work to stop these criminals, companies and individuals have to do everything possible to avoid being a victim.
- Download this report for the latest Barracuda research on spear phishing, including examples of attacks and how to avoid them.
- Deploy Barracuda Sentinel in your organization to help protect your company from spear phishing attacks
- Train your users to understand and recognize spear phishing attacks with a phishing simulation tool like Barracuda PhishLine
- Leverage traditional email security such as Barracuda Email Essentials
- Report all attacks to the Internet Crime Complaint Center (IC3)
- Be careful when clicking on links in an email, even if you know the sender. It's always safer to open a browser and type in the address.
- Never use the same password for multiple accounts. This prevents a successful attack from exposing more than one set of credentials.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.