Spear phishing is a form of phishing attack. But unlike most phishing emails that go out to hundreds or thousands of potential targets at the same time, spear phishing is highly targeted – leveraging very specific information about individuals or organisations to personalise the attack and make it more effective.
How does spear phishing work?
The personalised nature of spear phishing means that the details vary between attacks. But typically, it follows a step-by-step process that builds a bank of information and uses that to craft a targeted attack.
The threat actor selects a target. This might be an individual or an organisation, and they’re chosen for a reason; such as their access to critical data or financial resources.
Research. The research phase is essential to a spear phishing attack. The attacker collects detailed information about the target through any available sources; including company websites, digital platforms, media publications, and social media.
Content creation. Backed by target research, the attacker crafts personalised content, which they’ll use to approach the target by email or phone. The message is often designed to look like it comes from a trusted source.
A call-to-action is developed. Within the initial contact email or message, there’s a call-to-action (CTA). This is a compelling reason for the target to take action – for example, click on a malicious link, respond with sensitive information, or open an attachment.
The target is exploited. If the campaign is well-designed and the target well-chosen, the target falls for the deception and the attacker gains access to the credentials or data they wanted.
Covering tracks. Attackers often work to remove all traces of the attack once they’ve begun exploiting the target’s resources – to prevent detection and sometimes to enable the exploitation to continue for long periods of time.
Spear phishing thrives on social media sharing
Whether they’re targeting an individual, or targeting an organisation via an individual employee, spear phishing attacks rely heavily on people who freely share personal and work information on social media platforms.
Attackers can access publicly available data that includes details about targets’ relationships, job roles, personal interests, and day-to-day activities. They also create fake profiles, populating them with posts and images so they look genuine, and using those profiles to build trust with the target.
And it’s that potential for building trust that really makes social media such a rich environment for spear phishing to thrive. It’s so effective that committed threat actors can launch long-term attacks; Evalda Rimasauskas for example, who used the spear phishing strategy to gain access to tech company Quanta from 2013 to 2015.
The challenge of managing employee social media use
One of the major challenges organisations face in mitigating the risks of spear phishing on social media is that they have to respect employees’ freedom to express themselves online, and balance that with the security of the organisation.
Company social media policies can restrict the sharing of business information and encourage employees to separate their personal and work profiles but more awareness is needed to understand the signs and risks of spear phishing.
Training to support individuals in understanding and identifying spear phishing tactics is essential. Some organisations run simulated spear phishing exercises on social media to test and improve employees’ ability to detect and report suspicious behaviour. Education around how to verify the authenticity of social media accounts and communications before engaging with them can help minimise the risk of employees sharing information with malicious actors.
Ultimately, organisations have to tread the line between effective security and overstepping into employees’ personal lives. But as spear phishing continues to become more prevalent, it’s a necessary boundary to explore.
P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!