What is spear phishing?

Spear phishing is a phishing method that targets specific individuals or groups within an organization. It is a potent variant of phishing, a malicious tactic which uses emails, social media, instant messaging, and other platforms to get users to divulge personal information or perform actions that cause network compromise, data loss, or financial loss. While phishing tactics may rely on shotgun methods that deliver mass emails to random individuals, spear phishing focuses on specific targets and involve prior research.

A typical spear phishing attack includes an email and attachment. The email includes information specific to the target, including the target’s name and rank within the company. This social engineering tactic boosts the chances that the victim will carry out all the actions necessary for infection, including opening the email and the included attachment.

How does spear phishing work?

An email arrives, apparently from a trustworthy source, but instead it leads the unknowing recipient to a bogus website full of malware. These emails often use clever tactics to get victims’ attention. For example, the FBI has warned of spear phishing scams where the emails appeared to be from the National Center for Missing and Exploited Children.

Many times, government-sponsored hackers and hacktivists are behind these attacks. Cybercriminals do the same with the intention to resell confidential data to governments and private companies. These cybercriminals employ individually designed approaches and social engineering techniques to effectively personalize messages and websites. As a result, even high-ranking targets within organizations, like top executives, can find themselves opening emails they thought were safe. That slip-up enables cybercriminals to steal the data they need in order to attack their networks.

Read also:  What is vishing? Tips for spotting and avoiding voice scams

Spear Phishing and Targeted Attacks

Spear phishing is typically used in targeted attack campaigns to gain access to an individual’s account or impersonate a specific individual , such as a ranking official or those involved in confidential operations within the company. Trend Micro researchers found that more than 90 percent of targeted attacks in 2012 were derived from spear phishing emails.

Spear phishing attackers perform reconnaissance methods before launching their attacks. One way to do this is to gather multiple out-of-office notifications from a company to determine how they format their email addresses and find opportunities for targeted attack campaigns. Other attackers use social media and other publicly available sources to gather information.

How to Defend Against Spear Phishing Attacks

Traditional security often doesn’t stop these attacks because they are so cleverly customized. As a result, they’re becoming more difficult to detect. One employee mistake can have serious consequences for businesses, governments and even nonprofit organizations. With stolen data, fraudsters can reveal commercially sensitive information, manipulate stock prices or commit various acts of espionage. In addition, spear phishing attacks can deploy malware to hijack computers, organizing them into enormous networks called botnets that can be used for denial of service attacks.

To fight spear phishing scams, employees need to be aware of the threats, such as the possibility of bogus emails landing in their inbox. Besides education, technology that focuses on email security is necessary.

No matter where you are in the organizational structure, attackers may choose you as their next spear phishing target to snoop inside an organization. Here are some best practices to defend against spear phishing attacks:

  • Be wary of unsolicited mail and unexpected emails, especially those that call for urgency. Always verify with the person involved through a different means of communication, such as phone calls or face-to-face conversation.
  • Learn to recognize the basic tactics used in spear phishing emails, such as tax-related fraud, CEO fraud, business email compromise scams, and other social engineering tactics.
  • Refrain from clicking on links or downloading attachments in emails, especially from unknown sources.
  • Block threats that arrive via email using hosted email security, antiphishing and antispam protection.
Read also:  10 Ways To Avoid Phishing Scams

Article Source: kaspersky.comtrendmicro.com

Website Fraud Risk Assessment

In the digital era, securing your finances against online fraud is paramount. Before making any financial transactions on a website or platform, it's important to verify its credibility and legitimacy.
To begin, you can check if the website you're considering appears on our public database of known scam sites by clicking "View Scam Sites" below. This database is regularly updated and maintained by our team.
Alternatively, you can click "Submit a Request" below to complete a form and request an evaluation from our team of experts. We will conduct a comprehensive assessment to determine if the website is legitimate, checking for any scams, fraud, or illegal activities.
Don't take any unnecessary risks with your finances - take action today and submit a request or view our list of scam sites.

Submit a Request View Scam Sites