What is spear phishing?

Spear phishing is a form of phishing that is highly personalized and sophisticated, often targeting high-value individuals within organizations. From the organization perspective, spear phishing can be a nightmare because it is hard to detect and often is the initial attack vector for high-risk security events such as ransomware attack and wire transfer fraud. In this post, we discuss spear phishing, its trends, and how best to prepare your organization against these threats.

What is spear phishing?

Spear phishing can take many shapes and forms but it typically involves the threat actor(s) doing a certain amount of background research on the target before engaging them. This is in contrast to most phishing attacks that are more "spray-and-pray" tactics, casting a wide net on a large number of potential targets. With the widespread usage of social media such as LinkedIn amongst professionals, it is now easier than ever for threat actors to gather information about the target such as employer, position, colleague, etc., as well as making educated guesses around what kind of tools or vendors the target interacts with.

The following are various types of spear phishing that are commonly discussed within cybersecurity literature. Keep in mind that there aren't always clear-cut boundaries between each type and some experts may consider one to be a subset of another, etc.

Scamming

Scamming usually involves the threat actor using the background research they have done on the target to craft an effective hook - such as fake job postings, gift card winnings, unclaimed packages - for the target to disclose sensitive information like social security number, credit card details, bank account details, etc. This is the most common type of spear phishing by volume.

Vendor / brand impersonation

This type of spear phishing involves the threat actor impersonating a vendor or a brand that the target would typically interact with to get the target to take a compromising action such as disclosing sensitive information, entering in credentials, or installing malware. This broad type of spear phishing may manifest itself in forms that range anywhere from sending a carefully crafted transactional email (e.g. password reset) accompanies by a fake website, all the way to impersonating a customer support representative asking the target to provide a piece of sensitive information directly.

Conversation hijacking

A type of vendor impersonation (but oftentimes treated as a separate category), conversation hijacking involves the threat actor inserting themselves into an email conversation that already exists. This typically begins with an account takeover (i.e. an account is compromised via credential theft) whereafter the threat actor studies the existing conversation to understand the business operations and the deals in progress before inserting themselves at a crucial moment to have the target perform a compromising action such as wire transferring money or installing malware. This can be extremely hard to detect and properly respond to, as this would bypass most email filters and first-glance scrutinies.

Business email compromise

Commonly referred by its acronym, business email compromise (BEC) is a type of spear phishing where the threat actors impersonate a trusted colleague, partner, or vendor to get the target to take a compromising action such as wire transferring money or disclosing sensitive information. This may be done through an account that has already been taken over, via spoofing, or a cleverly executed impersonation. While very similar to certain aspects of vendor impersonation and conversation hijacking, BEC is oftentimes mentioned as its own category because the FBI classifies it as a major form of online crime. BEC is sometimes referred to interchangeably with CEO fraud and wire transfer fraud.

CEO fraud

CEO fraud is a type of spear phishing where the threat actor impersonates the CEO or a high ranking individual at a company to get the target (usually an employee who reports to the impersonated) to take a compromising action such as wire transferring money. Oftentimes, social engineering tactics such as sense or urgency or charismatic language are used in conjunction in order to undermine the target's sense of judgment. CEO fraud may occur through an account that has been already taken over, via spoofing, or via a clever impersonation.

Extortion

In this type of spear phishing, threat actors interact directly with the target and claim that they have compromising video, image, or other sensitive or embarrassing information about the target. Typically, they threaten to share such compromising content with the target's contact list unless a ransom is paid. The ransoms oftentimes range in the hundreds to thousands of dollars, and often demanded in cryptocurrency to avoid tracking.

A few examples...

Here is an example of a spear phishing email conversation:

Here is another example:

Spear phishing trends

General cybersecurity trends

• 59% of security experts say cyberattacks are growing increasingly sophisticated (Mimecast, 2023)
• 50% of IT experts expect to see an increase in attacks due to use of AI (Barracuda, 2024)
• 46% of executives say advances in adversarial capabilities present the most concerning impact of generative AI on cyber (World Economic Forum, 2024)

Phishing trends

• 91% of all cyber attacks begin with a phishing email (Deloitte, 2020)
• Average cost of a phishing data breach is $4.76M (IBM, 2023)
• Average time to identify and contain phishing is 293 days (IBM, 2023)

Spear phishing trends

• 65% of all known hacker groups used spear phishing as an initial attack vector (Symantec, 2019)
• 74% of security experts say their organization had experienced at least one successful spear phishing attack (Proofpoint, 2023)
• Out of organizations that fall victim to phishing attacks, 66% of them are victims of spear phishing attacks (Barracuda, 2023)
• Typical organization receives 5 highly personalized spear phishing email per day (Barracuda, 2023)

How to prepare against spear phishing

Simply put, a once-and-done solution won't work here. Rather, a layered approach to your organization's security posture is crucial for successfully defending against sophisticated threats like spear phishing.

Properly configure email server

Configuring your mail server correctly is the bare minimum:

• Configure the email server to properly react to DMARC/DKIM/SPF failures.
• Ensure spam filter is up to date with the newest blocklists.
• Implement proper warning mechanism for emails coming from suspicious domains .

Use email security solutions

Email security solutions like Tessian and Abnormal Security can help with advanced threat detection and prevention by providing functionalities such as:

• Validating links and attachments including sandboxed link and attachment detonations.
• Analyzing the contents of the email for anomalies.

Fortify the human layer of defense

Fortify the human layer of defense using advanced phishing simulation & training platforms like Vansec:

• Vansec's AI-powered simulation platform allows organization admins to launch spear phishing campaigns that engage users in personalized and sophisticated multi-message email conversations, unlike traditional phishing simulation platforms that send templated emails (which users get quickly used to).
• Vansec's AI chat-based training modules deliver personalized post-simulation debriefs for each user, as well as lessons on various cybersecurity topics as assigned.

Regularly conduct security reviews and investigations

Regular audits must be an integral part of any mature enterprise security posture:

• Conduct security reviews on the overall security infrastructure of the organization, including security layers (VPN, MFA, etc.), security policies, incident response protocols, and others.
• Conduct proactive investigations and analyses into real threats that the organization receives, including conducting red team exercises.