With the pervasiveness of email and instant messaging, phishing scams are an unfortunate reality in modern life. It’s important to know how to spot these scams and how to avoid falling prey to them. The most common and most successful form of phishing on the internet is known as spear phishing.
What is spear phishing?
While phishing is a broad term that can be used to refer to any attempt to trick victims into sharing sensitive information, spear phishing is much more personalized. Attackers will gather and use personal information about you to appear more legitimate, increasing their odds of success. “Spear-phishing attacks target a specific victim, and messages are modified to specifically address that victim, purportedly coming from an entity that they are familiar with and containing personal information,” says Nena Giandomenico in a January 2019 article for Digital Guardian.
Because of the personal level of these emails, spear phishing attacks are more difficult to identify, especially for automated systems. According to a study conducted by email security company IronScales, 77 percent of spear phishing attacks are extremely focused and target only 10 or fewer accounts; a third of these attacks target just one, and most attacks are very short. “Traditional spam filters and endpoint protection tools aren’t catching the attacks,” Juan Martinez writes in a January 2017 article for PC Magazine. “For every five attacks identified by spam filters, 20 attacks made it into a user’s inbox.”
Examples of spear phishing
Spear phishing was famously used in the 2016 United States presidential campaign by a Russian cyber espionage group called “Fancy Bear,” which targeted Gmail accounts associated with Hillary Clinton. “When Democratic National Committee Chief John Podesta’s aide forwarded him an email that claimed Podesta’s Gmail account was hacked, Podesta did what most of us would have done: He clicked the link within the email and was directed to a website where he was prompted to enter a new password,” Martinez writes. Unfortunately for Podesta, the email hadn’t been sent from Google, and he had unwittingly given his password to the hacking group.
Like the Fancy Bear case, most spear phishing attacks take the form of customer support emails that send you to a fake website and ask you to change your credentials. In 2015, hackers created spoof email accounts resembling those of real Ubiquiti Networks executives and tricked employees into transferring $47 million to overseas accounts.
To better fool targets, Giandomenico says attackers will use the personal information you put on the internet to find your email address, geographic location, friends list and even your recent purchase history. “With all of this information, the attacker would be able to act as a friend or a familiar entity and send a convincing but fraudulent message to their target,” she explains.
How to avoid spear phishing
Though anti-phishing software does exist, the best tool you have against spear phishing attacks is your judgement. “Education and caution are perhaps the most important defenses against spear-phishing attacks,” says Martinez, adding that you should never, under any circumstances, send sensitive information to someone in the body of an email. Giandomenico goes one step further and recommends against clicking any links in emails. “If any organization, such as your bank, sends you a link, launch your browser and go directly to the bank’s site instead of clicking on the link itself,” she writes. You can also limit your vulnerability to spear phishing by reducing the amount of personal information you share online as well as by using smarter passwords that significantly differ from each other for every account that you own.
Spear phishing is a very real online threat, and until anti-phishing software begins using advanced self-learning artificial intelligence algorithms that can predict innovative new phishing methods, the best and last line of defense against spear phishing is you.