What is spear phishing?
Unlike the classic Phishing , which is designed to attack a large possible group of victims, spear phishing is an attack on a specific organization or person. With spear phishing, the attacker no longer disguises himself in his e-mails as a large organization (such as Amazon, banks, etc.), but becomes more specific and pretends to be an employee, manager, friend or business partner.
Three success factors
Earning the victim’s trust is an essential factor for a successful spear phishing attack. In order for this to be achieved, it is essential that the attacker can obtain as much information as possible. He achieves this, for example, through social engineering and obtaining information from public sources such as Facebook and Instagram.
Imitate a trustworthy person
Unlike normal phishing, a specific person or group, for example a department within an organization, is attacked. The hacker imitates a well-known, mostly high-ranking person within the group. Out of respect and perhaps also fear of losing their job, many victims are believed to fall for the phishing attempt.
It is also necessary to provide information that confirms the supposed identity of the hacker. Because if he can convincingly pass himself off as a superior, then he has a good chance of luring victims into the phishing trap.
Logical reason for requests in the email
It is also necessary that the victim be given a logical reason for the prompts in the message. Because an illogical reason will appear suspicious to him and increase the chance that he will question the phishing.
Board members and employees in managerial positions are particularly popular victims of spear phishing. Because these so-called “whales”, that is “big animals” within an organization, often have special authorizations and access. However, in order to make such an attack successful, a sophisticated scenario and extensive information from the company and the victim are required.
2020 Twitter Hack
An incident in summer 2020 showed us the effects a targeted attack can have on employees, when the well-known social media platform Twitter was the target of a spear phishing attack.
The attackers targeted the accounts of well-known personalities such as Elon Musk, Bill Gates and Barack Obama.
Employees were specifically contacted by phone in order to obtain identities, which were then used against other employees with rights to user administration. With the help of the captured identities and access to the internal network, access to 130 accounts could then be obtained, of which 45 tweets were published. In addition, more than 30 direct messages were read and data downloaded from at least seven accounts.
This incident shows how dangerous a spear phishing attack can be. Because especially in larger companies with classic, steep hierarchical structures, it is often the case that not all employees know each other. This significantly increases the success of such an attack. However, it must be ensured that smaller companies are not spared from phishing attacks, because in the end the company is only as secure as the last employee makes it.
In order to ensure this security, it is advisable to sensitize employees. This can be achieved, for example, through training courses and user awareness campaigns.