Phishing attacks targeting businesses are a growing problem, particularly targeted phishing that is difficult for employees and managers to see through. Phishing is not traditionally targeted, so how can cyber criminals target a specific person in a company?
Spear phishing vs. phishing
Phishing attacks
Traditional phishing is a type of cyber fraud in which cyber criminals pose as legitimate businesses, governments or organisations for malicious reasons. They use various strategies to lure their victims into providing sensitive information that they can later exploit. They may also trick victims into installing malware on their computer so that the cybercriminals can access and compromise the computer.
Phishing attacks affect all types of people
Most phishing attacks are carried out via e-mail. Phishing e-mails contain either a link or an attachment. When the unwitting recipient clicks on the link, they are directed to fake websites where they have to enter their details. If they download the file, malware is installed onto their computer and infect the device.
- Phishing can also be carried out over social media, SMS and through phone calls.
Common types of phishing attacks often try to target as many people as possible, so they contain universal manipulation strategies and are sent out en masse. These strategies are called social engineering.
The manipulation strategies in phishing are one of the things that distinguish phishing from spam emails. Spam is a type of "advertisement" aimed at getting as many people as possible to buy a particular product or service.
Spear phishing attacks
Spear phishing is a fraudulent phishing method designed to target and attempt to steal confidential information or compromise computer devices. It's targeted at specific individuals or specific groups within a company.
Instead of increasing the chance of someone falling for the scam by sending out as many phishing e-mails as possible, cybercriminals spend a long time producing spear phishing e-mails so that they are as convincing and trustworthy as possible - doing this, they minimize the risk of the victim starting to question the e-mail.
It's a type of fraudulent phishing that's increasingly being targeted at businesses and organisations, since the cybercriminals can tailor the attack to a specific target in this type of phishing.
Phishing targeted at specific groups
Before sending out their spear phishing e-mails, cyber criminals research their victims and can use publicly available information to find out personal details such as names, addresses, email addresses, family members, friends, recent online purchases, etc. This publicly available information can be found on company websites, Google searches and through social media.
The cyber criminals use their research to tailor the spear phishing attack and carefully craft the spear phishing e-mails so they sound even more convincing. They include personal information about the victim and can make the sender look like someone the victim knows, such as their boss, a colleague or a friend.
Often, cyber criminals use devious social engineering strategies in a spear phishing email, as this increases the chances of the attack being successful.
Different types of spear phishing attacks
Whale phishing
Whale phishing attacks are sent out to senior employees or managers of a company. Whale phishing is, therefore, even more targeted than spear phishing, as very few people are targeted - namely the superior and executive employees of a company.
CEO fraud
In CEO fraud, the cybercriminals impersonate the CEO of a company. Unlike spear phishing and whale phishing, in CEO-fraud the cybercriminals use their research to make the sender look like a specific person.
The cybercriminals often use a fake e-mail address to impersonate the CEO's e-mail address. They may also hack the CEO's real e-mail account. Much more research and preparation goes into CEO fraud than into common types of phishing attacks.
Protect yourself against spear phishing
It's important to follow some simple precautions to improve and better protect yourself as an individual - or company - against spear phishing.
Consider what information you publish online
It's always a good idea to be careful about how much and which personal information you share online. Look through your public profiles and consider whether there's information that could be misused by cyber criminals for spear phishing attacks.
Many social media sites have settings that allow only "friends" or connections to see your content. By choosing to limit who can see your profile and information on social media, you can make it harder for cybercriminals to find your information.
Also, remember to only provide personal information if you're sure you are on a legitimate website. Cybercriminals often create fake phishing websites in the hope that people will enter them thinking they are legitimate. There are many different ways hackers can trick the victims; evil twin attacks, typosquatting and HTTPS-phishing are just a fraction of the methods they use.
Always pay attention to your emails
When you receive an e-mail, you should always be cautious of the sender and the content of the e-mail.
Is the e-mail from a real e-mail address? Even if the e-mail is supposedly from a trusted source, there will be small errors in the email address if it's a spear phishing e-mail.
Are there any unusual requests in the e-mail? If you suddenly need to provide sensitive information, change your passwords, pay an invoice or transfer money to a "friend" in need, think twice before submitting the information, as these are typical characteristics of spear phishing.
Use your common sense when reading your e-mails. A legitimate organization or business would never ask for personal information in an e-mail. And does it make sense that your friend is suddenly short of money or needs your username and password? Usually not.
If you have any doubts about whether an e-mail is legitimate or not, always contact the sender or go to the company's website through a search engine like Google or Bing.
Introduce a data protection programme in your company
To protect your business from spear phishing, you can implement a data protection program to avoid fatal damage after a cyberattack. Such a program includes both awareness training for employees to identify the exact type of attack and to deter it, and the introduction of internal networks and software programs to protect your company's data.
The program should also include software applications or other technical solutions that can be deployed after a disruptive data breach. Even if the data has been compromised, it may be possible to recover it.
In addition, the program can dictate the chain of communication following a spear phishing attempt, including who should be notified immediately.
You should, therefore, always note who is sending the e-mail and what it contains. Cybercriminals are getting better and better at tricking us but if you're cautious and vigilant, you can prevent you or your company from becoming the next victim.
This post has been updated on 06-09-2023 by Sofie Meyer.
Sofie Meyer
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.
View all posts by Sofie Meyer
