Today, 95% of all cyber attacks launched on businesses start with a spear phishing email. What’s more, spear phishing attacks increased 250% last year as bad actors have discovered more and more ways to outwit email users (busy people) and defenses (legacy technology). The motivations behind attacks are straightforward: deploy malware or defraud the target of money or credentials. The tactics, however, vary greatly and are becoming increasingly more difficult to spot.
What is spear phishing?
A variety of terms are used to describe inbound email attacks ranging from spoofing, phishing, spear phishing and whaling. While some people use the terms interchangeably, they are, in fact, different. Here’s a breakdown of the terminology:
- Email spoofing: the creation of email messages with a forged sender address or display name. It is common for spam and phishing emails to use spoofing tactics to mislead a target about the origin of the communication.
- Phishing: the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by pretending to be a trusted entity. Occurring predominantly via email or text messaging, phishing is typically bulk in nature and not personalized for an individual target. While phishing attacks can be successful, most are often easy for clued-up individuals or email security policies to detect.
- Spear Phishing: advanced phishing attacks directed at specific individuals or companies. Similar to phishing attacks, these too, are designed to trick people into doing something like sending a wire transfer or clicking on a malicious link. In contrast to bulk phishing, spear phishing attackers often gather and use personal information about their target to increase their probability of success. Because they are more sophisticated in their construction and convincing in execution, spear phishing emails are harder to catch. They work best when they impersonate someone the target trusts.
- Whaling: a highly targeted phishing attack aimed at senior executives or employees with access to particularly valuable assets. Whaling emails are more sophisticated than generic phishing emails as they often target chief (“c-level”) executives and board members.
Why is spear phishing so dangerous?
Spear phishing isn’t difficult to pull off. Attackers don’t need capital, special equipment or a particularly advanced skillset. They just need to invest time into researching a target, which is easy with the proliferation of public profiles on platforms like LinkedIn.
Spear phishing is particularly effective because busy professionals are easy to trick on email. Today, the average worker spends nearly a third of their working week on email, sending and receiving around 124 emails every day. The pressure to be constantly connected and on-the-go means that employees are more likely to be distracted and make mistakes on email. A shift towards becoming a mobile workforce hasn’t helped the situation either. Verizon research has shown that people are significantly more susceptible to social attacks received on mobile devices; this is a result of mobile design and people’s tendency to multitask on mobile devices.
Businesses globally have lost $12.5bn over the past five years as a result of phishing scams. Advanced impersonation spear phishing has emerged as one of the most popular and successful attack methods being leveled at businesses – small and large – around the world. Rewards for attackers are high, and the damage to organizations can be catastrophic, resulting in wire payment fraud, file sharing, credential theft and eventual systems takeover.
How do you prevent advanced impersonation spear phishing?
Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. To identify and prevent inbound threats, SEGs commonly employ machine layer methods:
- Payload inspection like scanning URLs and attachments. This can leave organizations vulnerable to zero-payload attacks and can falsely increase user confidence.
- Spam and bulk-phishing prevention. Focusing on past known attacks and basic email characteristics (e.g. domain authentication), these fail to prevent advanced impersonation, which is low-volume and crafted to evade such systems.
- Rules to prevent impersonation. Rules can prevent basic impersonation attacks (e.g. by detecting newly registered domains, different sender/reply-to addresses, etc).
While SEGs can block malware and bulk phishing attacks, rule-based solutions cannot stop advanced impersonation attacks and are incapable of detecting external impersonation.
Tessian Defender detects all possible impersonation types, including the manipulation of internal and external contacts. Defender stops advanced threats that legacy systems miss.
Tessian Defender’s stateful machine learning retroactively analyses historical email data in order to understand the difference between safe and unsafe emails being received. By analyzing multiple data points within email headers, body text and attachment data, Defender can detect and prevent threats in real time with minimal end-user disruption.
To learn more about Tessian or book a demo of Tessian Defender, contact us here.