Advanced Email Threats
The Ultimate Guide to Spear Phishing
by Andrew Webb
Thursday, December 9th, 2021
Phishing, spear phishing, smishing, vishing, and several other *ishing techniques all aim to do one thing: convince targets to reveal information which is either valuable in itself and can be ransomed or sold, or can be used to access financial systems to transfer money.
That information could be account logins, bank details, customer information, or personal identifiable information (PII).
Types of phishing attacks
Phishing is a numbers game; hackers send hundreds or thousands of messages in the hope that even just oneeee person is distracted enough to click.
That’s why a lot of attacks leverage popular culture. For example, when the smash hit series Squid Games ended, bad actors wasted no time in sending out ‘exclusive look at season 2’ scams.
TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware https://t.co/iTTPjTSwWi @proofpoint #SquidGame #Dridex pic.twitter.com/ShwKRnoimi
— David Bisson (@DMBisson) November 1, 2021
Scammers are like wasps at a picnic, they’ll try and attack anything to provoke you… even your daily cup of Joe. As one InfoSec attendee at our Human Layer Security Summit in November said, “If a hacker created a fake offer for free pumpkin spiced latte from Starbucks, trust me, this time a year, people will click on it”.
But there’s a much more targeted sub-category of phishing: spear phishing.
Spear phishing attacks center on one or a few individuals. Hackers generally use information like a person’s whereabouts, nickname, or details about their work to craft customized, believable messages.
And getting that information is surprisingly easy. We live our lives online, and every action we take leaves a trail of data and information. Social media status updates, geo-located photographs, travel tickets, venue check-ins, all these can be used to build a picture about an individual’s movements and preferences.
In fact, our How to Hack a Human report revealed that 90% of people post information related to their personal and professional lives online. One-third of people share business travel updates and photos online, and 93% of people update their social profiles when they get a new job. Out of Office replies also contain plenty of data that can be harnessed for an attack.
Our research also revealed that 88% of people have received a suspicious message this year. Can you guess the most popular channel? Email.
Verizon’s 2021 Data Breach Investigations Report found that a staggering 96% of phishing or spear phishing attacks arrive via email (the other means are smishing, which uses SMS, and vishing, which uses faked voicemail or phone calls).
Here then, is our ultimate guide to spear phishing attacks: how to spot them, how to stop them, and how to ensure your organization is alert, trained and protected.
How big of an issue are we talking about here?
It’s a big problem. 2021’s Spear Phishing Threat Landscape Report revealed that 75% of organizations experienced some kind of phishing attack in 2020. Another 65% faced Business Email Compromise (BEC) attacks, and 35% experienced spear phishing attacks.
Graph from the FBI’s Internet Crime Report 2020
And according to the FBI, phishing incidents nearly doubled in frequency, from 114,702 in 2019, to 241,324 incidents in 2020. In all, there were more than 11 times as many phishing complaints to the FBI in 2020 compared to 2016. The numbers for 2021 will no doubt be even higher.
Our report also found that the average employee receives 14 malicious emails a year. For a 500-person company, that’s 7,000 a year. However, this number rose dramatically in the retail sector to 49 on average. Manufacturing employees received 31, R&D 16, and tech employees 14.
The problem is, you just can’t stop people from using email. For many of us, it’s a critical part of our jobs. In fact, according to data from Tessian’s own platform, employees send around 4800 emails a year. Our inboxes are a revolving door of links, documents, and information – a door bad actors are quietly trying to slip through.
How a phishing attack starts…
Just like real fishing, the cyber version needs bait – something to entice, scare, or shock the target to act. For this, bad actors like to tap into the zeitgeist. Whatever trend, fashion, must-see TV show, or social concern is currently top of mind for their victims, they’ll try to exploit it.
What bad actors like most is something big that affects a large number of people at the same time, and things don’t get much bigger than a global pandemic. At the end of 2020, Britain’s National Cyber Security Centre (NCSC) revealed that it removed more online scams that year than in 2016 to 2019 combined.
In total they found 120 separate phishing campaigns in which the UK’s National Health Service was impersonated – up from just 36 in 2019. The lure commonly used in these scams? The vaccine roll-out.
Indeed, the pandemic provided – and is still providing – a once in a lifetime global opportunity for scammers. Our own survey from 2021 found that 35% of US citizens and 22% of UK citizens said they’d received a ‘proof of vaccination’ phishing email this year.
On top of these were Zoom link scams as we all went remote, logistic firm scams as we ordered everything online, romance scams as we got lonely, and ‘back to school’ scams as young people went back into in-person education. Scammers even went for tax day scams as everyone prepared to file their tax returns.
The hook: impersonation
Again, just like real fishing, you need a mechanism to get the bait into the water – the hook. An email has to come from someone, right? And getting someone to click a link that appears to have come from Zoom, Netflix, or their boss means convincing them that it’s really from that organization or person.
Business email compromise (BEC)
One way scammers do this is with business email compromise (BEC). BEC is any phishing attack where the attacker uses a hacked, spoofed, or impersonated corporate email address to convince a target that the email is from a legitimate business.
Here attackers are looking to spoof big global organizations that everyone will have heard of and therefore trust and potentially use – so think Microsoft, Apple, Google, as well as Amazon, DHL, and UPS. We all receive perfectly legitimate emails from these companies all the time, so our defenses are lower.
You can find out more about spoof emails here
As well as global brands and companies, BEC attacks can also impersonate a person, typically a senior executive or leader. The target is often a junior employee who’s instructed to urgently help close a deal by transferring funds. This is called CEO Fraud.
CEO fraud is a particular type of spear phishing in which a fraudster impersonates a senior company executive via email. This could be a CEO, CFO, Head of HR — or anyone with the power to ask employees to make payments or send sensitive information.
In these types of attacks, there is again normally a sense of urgency, a perceived external threat, and crucially, often the promise of some sort of incentive for the employee to carry out the action.
Urgency is not always the case however, there’s also the ‘reasonable request’. As Glyn Wintle, CTO and co-founder of Tradecraft, told us, “If you say the request must be actioned in one day, you will get a large number of replies from employees complaining it’s not enough time. If you say it must be actioned in a week, a lot of people will forget about it. If you say it must be actioned in two working days, people think it’s a reasonable period of time and will do it immediately to avoid forgetting about it”.
It even happens to Tessian staffers, a hacker impersonated our CEO and co-founder, Tim Sadler, and tried to get an employee to get them some iTunes vouchers. Needless to say, they didn’t fall for it.
Account Takeover (ATO)
Attacks launched from Account Takeovers (ATOs) are some of the hardest to stop because the attacker will start the phishing process from a genuine, compromised account belonging to a real person, rather than a spoofed or fake one.
That’s why ATOs are able to slip past traditional phishing solutions like Secure Email Gateways (SEGs).During the pandemic, ATO attacks increased 307% between 2019 and 2021, and for sectors like Fintech the figure was 850%
Why we click phishing links
Hackers like to take advantage of psychological factors like stress, social relationships, and uncertainty that affect people’s decision-making, as this is often when they make mistakes.
In our Psychology of Human Error report we asked 2,000 professionals about mistakes they’ve made at work. The results made for interesting reading.
Worryingly, nearly half of employees (43%) say they’ve made a mistake at work that had security repercussions for themselves or their company.
One in four employees (25%) said they have clicked on a phishing email at work. Men were twice as likely as women to fall for phishing scams, with 34% of male respondents saying they have clicked on a link in a phishing email versus just 17% of women.
Distraction means bad action
Nearly half of respondents (45%) surveyed in our report cited distraction as the top reason for falling for a phishing scam. Other reasons for clicking on phishing emails included the perceived legitimacy of the email (43%) and the fact that it appeared to have come from either a senior executive (41%) or a well-known brand (40%). Impersonating a position of trust or authority is a common and effective tactic used by hackers in phishing campaigns.
In our spring 2020 Human Layer Summit, Glyn Wintle gave us several examples of how to set up your people and security to mitigate the risks from spear phishing.
So what does a phishing email look like?
As we know, 75% of organizations experienced some kind of phishing attack in 2020 and almost all (96%) arrived via email. But what does an actual phishing attack look like?
We’re rounded up five REAL examples of typical spear phishing attacks you can read here. All these attacks were detected (and prevented) by Tessian Defender, so no employees were harmed in the making of this blog post.
Most employees don’t really understand what a spear phishing email looks like until it’s too late. And while attacks can take lots of different forms and approaches, there are four commonalities in virtually all spear phishing emails: impersonation, motivation, urgency, and payload.
When are you most likely to be targeted by a phishing attack?
Unsurprisingly, scammers have access to a huge amount of data and, like a regular business sending a newsletter or social media post, they’ve studied when is the best time to launch an attack.
A big event in every scammer’s calendar is Black Friday, and with lots of email, money, and pressure to grab a bargain flying around, it’s easy to see why.
Black Friday came out as the worst time of the year in Our Spear Phishing Threat Landscape report, which details how Tessian detected nearly 2 million malicious emails that slipped past legacy phishing solutions over a 12-month period.
As for the most popular time of day to launch an attack, research shows that after lunch was the most popular time, followed by just before the end of the day. You can see why. People have just eaten, they’ve come back to a newly full inbox, and they’re trying to get on with the rest of their day.
At the end of the day people have one eye on the door, they might be thinking about the commute home, or dinner, or going somewhere…anything except phishing attacks.
You’re secure, but what about your suppliers?
Even if you’ve done the best you can to mitigate external risks to your organization’s staff, dangers can still come from your suppliers and other partners you work with. Businesses are porous institutions and rely on other businesses for everything from raw materials to stocking the stationary cupboard.
Big businesses rarely publish data on their supply chains, but according to this article from Forbes, Proctor and Gamble list over 75,000 suppliers, while the retailer Walmart uses over 100,000.
Hackers exploit these relationships in software supply chain attacks. These involve inserting malicious code into a piece of software that is then distributed among multiple organizations, usually the customers of the software company that owns the software.
Like all other forms of attack, supply chain attacks are increasing, up 4 fold in 2021 from 2020. The UK’s National Cyber Security Center has detailed examples of typical supply chain attacks, as well as advice on how to defend against them.
The impact of an attack
Phishing of all types is the threat most security leaders are concerned about for the following reasons: attacks are becoming more frequent, they’re performed at scale, they’re hard-to-spot, they’re time-consuming to investigate, and can be very expensive to recover from.
IBM’s annual Cost of a Data Breach found that the average cost in 2021 was $4.24 million, but can be as high as $7million depending on the sector involved and size of the breach.
Why so much?. There’s the potential ransom from the hacker, but also reputation damage, regulatory fines, and time and resources diverted from other things to deal with the attack. It adds up.
The problems with legacy phishing prevention solutions
As the attacks have gotten smarter, faster, and more varied, existing solutions are struggling to stop them. Here’s why.
Secure Email Gateways (SEGs)
Problem: SEGs lack the intelligence to learn user behavior or rapidly adapt.
The backbone of a SEG is traditional email security approaches – static rules, signature based detection, library of known threats, etc. Meanwhile, attackers consistently evolve their techniques, email networks are dynamic in nature, and human behavior is inconsistent and unpredictable. That means rules are out of date as soon as they are created and signature-based approaches are ineffective.
SEGs can’t detect advanced impersonation, account takeover (ATO), third-party supply chain risk, or wire fraud.
Karl Knowles, Global Head of Cyber for law firm HFW, told us how there’s been a huge rise in impersonation attacks, accounting for more than half of the threats HFW gets. With domain impersonation attacks also getting more sophisticated, SEGs alone can’t cope.
And as James McQuiggan, Security Awareness Advocate at KnowBe4, explained in our Fall Summit, bad actors have upped their game and started to find ways to bypass these systems by buying and configuring the same off- the- shelf hardware and software firms use, and seeing what gets through.
Problem: Easily bypassed yet potential bottlenecks to genuine business needs
Any detection made by the sandbox is dependent on a file exhibiting malicious behavior. This is easy to work around. Hackers will often send a PDF that contains a link to a malicious form to avoid detection.
Likewise, documents with a URI (Uniform Resource Identifier) have an extremely low footprint for sandboxes to detect. And the short TTL domain doesn’t leave much evidence for event analysis or threat intelligence.
There are issues with latency, too. Emails, communications, downloads, and important files can take several minutes to reach their destination because of the bottleneck sandboxes can create.
Problem: Only one-third of businesses employ DMARC and the info is publicly accessible.
Domain-Based Message Authentication Reporting and Conformance (DMARC), is an added authentication method that uses both Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to verify whether or not an email was actually sent by the owner of the domain that the user sees.
However, DMARC, SPF, and DKIM records are inherently public information – they need to be so that receiving mail clients can authenticate a sender’s domain. Attackers can see not only if your organization has a DMARC policy, but also how strictly you have configured it.
Before trying to impersonate your email domain directly, a sophisticated attacker will check if you have a strict DMARC policy in place. If you do, the attacker can still carry out an advanced spear phishing attack.
Ok so what about more security training?
You might think that your legacy solutions in conjunction with more security awareness training (SAT), will help mitigate some of these attacks.
Training is important, but the trouble with most security training is no matter how fun and engaging you try to make it, pretty much everyone in the room has somewhere else they’d rather be. It’s also expensive, time consuming, and will always be one step behind actual threats.
For most non-IT staff, trying to explain things like how potentially spoofed domain URLs are constructed is just far too technical, and something they’re hardly likely to remember in the heat of their inboxes weeks or months later.
After all, as we learned at our Human Layer Security Spring Summit, the average human makes 35,000 decisions a day – analysing a suspect domain URL in detail probably isn’t going to be one of them.
Regardless of how frequent, tailored, and engaging it is – security awareness training can’t be your only defense against social engineering. Why? many of the more sophisticated attacks just aren’t detectable by humans.
How Tessian can help
So the only question left to answer is this. When legacy solutions and training programs aren’t enough, how can we prevent employees from interacting with the malicious emails that land in their inbox?
Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.
Tessian Defender uses machine learning (ML) to protect your people from even the most advanced inbound threats.
Tessian’s machine learning algorithms analyze your company’s email data, learn employees’ normal communication patterns, and map their trusted email relationships — both inside and outside your organization.
Tessian inspects both the content and metadata of inbound emails for any suspicious or unusual signals pointing to a potential impersonation, ATO, or BEC threat. For example, payloads, anomalous geophysical locations, IP addresses, email clients, and sending patterns.
Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language via an interactive notification.
If you’re in InfoSec, you’ll know only too well that your organization is one click away from an ‘Oh Sh*t’ moment. Tessian automatically stops those moments from happening.
Questions? We’d be happy to help. Book a demo today.