Learn more about the Zero Trust Exchange to see how a complete zero trust architecture can help protect your organization against phishing attacks.
Spear phishing starts as a message, such as an email, that seems to be from a trusted source. Cybercriminals use information they know about their target to make the message appear genuine, and then ask the recipient to take some action, such as opening an attached file or following a benign-looking malicious link.
For example, an email might copy visual elements from the target’s bank and ask the target to verify a transaction or check an important notification. The target follows a link in the email that takes them to a bogus website that looks and feels like the bank’s real site, where a prompt asks for login credentials, confirmation of a credit card number, or similar.
Some attacks employ impersonation, appearing as emails from someone in the target’s address book—a friend, family member, or colleague, for instance. An email from a “friend” might ask the recipient to look at a funny link or download a useful file. Because the target thinks they know the sender, they’re less likely to notice warning signs or suspect a scam.
There’s a litany of different techniques and types of phishing scams out there. Let’s look at a few techniques frequently seen in spear phishing campaigns:
To learn about other common phishing techniques, you can read our companion article, What Is Phishing?
Anyone can become a target of spear phishing attacks. If phishers get hold of someone’s personal details, especially confidential information, they can use it to make their attack more convincing. People with important positions in their organizations are generally at greater risk, as they’re often responsible for more sensitive data.
Infiltrating a company’s system can give cybercriminals access to huge amounts of valuable sensitive information, and data breaches—especially in the financial and technology sectors—can cost companies millions in recovery costs, potential fines, and loss of customer trust. The massive shift to the cloud and remote work has made businesses even more vulnerable, as distributed IT environments introduce many more possible vectors of attack.
Preventing successful spear phishing is a matter of taking the right precautions. General cyber hygiene is a start—the more secure your online data footprint, the lower your risk of becoming a target. At the organizational level, there’s a lot to consider.
Take note of these basic guidelines to reduce your overall risk:
As part of general security awareness training, your organization’s users should all learn how to spot spear phishing red flags, such as:
An example of a spear phishing email. Pay attention to the unusual phrasing and the framing of specific details.
It pays dividends to keep everyone in your organization up to date on current security threats and policies. All phishing relies on hijacking human trust, and all it takes is one person innocently following a malicious link for your environment to be compromised.
To prepare your organization, your security awareness training program should educate people about cyberthreats they might face in their role, how to identify spear phishing emails and other targeted attacks, how and where to report phishing attempts, and more.
You may also need to engage the services of cybersecurity specialists. Social engineering techniques are driving the world of cybercrime forward at a frightening speed, and it can be daunting to keep up with the latest developments. Working with experts who know the business inside out, you’ll have all the guidance and support you and your team need.
User compromise is one of the most difficult security challenges to overcome because it relies on exploiting human nature to succeed. By exploiting victims from such close range, spear phishing can be all the more dangerous, quickly leading to breaches. To minimize the damage, you need to implement effective phishing prevention controls as part of a broader zero trust strategy.
The Zscaler Zero Trust Exchange™ platform, built on a holistic zero trust architecture to minimize the attack surface and prevent compromise, helps stop phishing by:
While most phishing targets victims at random, spear phishing targets specific individuals. Attackers generally already have some information about their targets before they carry out the attack, which they can use to make their phishing messages much more convincing.
Between 2013 and 2015, an attacker invoiced Facebook and Google for roughly US$100 million while posing as Quanta, a real technology firm that worked with them. The companies only recovered about half after the attacker was charged.
In 2016, a BEC scammer defrauded the Belgium-based Crelan Bank of more than 70 million euros by posing as an executive and requesting transfers of funds.
Cybercriminals generally craft a spear phishing attack after obtaining information about their target, either stolen or from publicly available sources, such as social media.
If you receive a phishing email, you should report it. Don’t respond to it or otherwise interact with it. Your security team, incident response, or IT personnel will notify relevant parties such as software vendors to reduce the likelihood of a repeat attack.
The most common types of phishing attacks come through emails with messages designed to trick you into giving up your data or downloading malware. Voice phishing attacks and SMS phishing, in which criminals attempt the same kind of attack over the phone, are also becoming more common.