Phishing vs. Spear Phishing: Differences and Defense Strategies

  • 13 February 2020

On average, 246.5 billion emails are sent and received every single day. Of those, 6.4 billion will be “fake”.

People use email to communicate with brands like Netflix and Booking.com to confirm subscriptions or make reservations, and employees communicate on a loop with suppliers, vendors, and colleagues to schedule meetings, make payments and share data.

The bottom line: email is an essential part of our daily personal and professional lives.

It’s no surprise, then, that email remains the most popular channel for cybercriminals to target victims through email scams like phishing or spear phishing attacks.

What is the difference between phishing and spear phishing?

There are three key differences between phishing and spear phishing.

  1. Phishing attacks are high-volume, most often targeting hundreds or thousands of people while spear phishing attacks are low-volume, meaning only one person or a small group of people are targeted.
  2. Phishing attacks are non-personalized while spear phishing attacks are highly personalized.
  3. Phishing emails more often employ malicious links or attachments (called “payloads”) to deliver malware or capture sensitive information, while spear phishing emails don’t always carry payloads; these are called “zero-payload attacks”.
  • What is a zero-payload attack?

    A zero-payload attack is a type of spear phishing that doesn’t rely on a link or an attachment to deliver malware or collect sensitive information. Instead, the attacker will ask outright for sensitive information or network access, or even attach a fake invoice containing bank account information to be paid into. In some cases, a cybercriminal will initiate a conversation and build up a rapport with a target over a longer period of time before issuing the request.

What is phishing?

Phishing is one of the oldest, most prevalent, and most disruptive cyber attacks in the world. For some perspective, we’ve seen a 250% increase in the frequency of phishing attacks from 2018 to 2019. Likewise, we’ve seen the cost of the average data breach climb to $3.92 million and – you guessed it – phishing attacks are the number one cause of these breaches.

Phishing attacks rely largely on impersonation – often of trusted brands – to obtain money or sensitive information from unsuspecting targets or to install malware on their computers.

While it may come as a surprise, it’s likely that at some point, most of us have actually been a target, whether via our personal email accounts or business email accounts. These attacks have even evolved past email, with bad actors now using telephone and SMS as entry vectors. This is referred to as smishing.

Don’t think it could happen to you?

Over the last several years alone, customers of big brands like AmazonApple, and Microsoft have all been targeted, impacting millions of people. This is, of course, in addition to the more blatantly obvious scams in which Bill Gates, Donald Trump or a Nigerian Prince offer to share their fortune with you.

Surprisingly, many of these scams aren’t particularly sophisticated and require little technical know-how from attackers. Instead of relying on the quality of the scam, phishing attacks target large numbers of people to increase their odds.

The logic: more targets equal more opportunity for success.

Example of phishing email

Looking at the email above, you’ll see that the email appears to be sent from FedEx Customer Service, the greeting is generic and un-personalized, and the content of the message – from the subject line to email body – motivates the user to act.

Of course, the link won’t lead to an authentic page.

Instead, it will lead users to a look-a-like page. While this page will contain branded elements that resemble the genuine FedEx site, any information inputted will be collected by the scammer, not FedEx.

Just like that, a crook can have access to your personal data.

It’s important to note, though, that it’s more likely that only someone who was actually expecting a delivery from FedEx will follow the link and enter information like their name, address, or phone number in order to arrange a new delivery time. Attackers know this, hence why an email like this will have been sent to hundreds or even thousands of people.

Remember: more targets equal more opportunity for success.

But, not all cyber attacks are bulk in nature; spear phishing is highly targeted and extremely difficult to detect.

What is spear phishing?

Like phishing attacks, spear phishing attacks rely on impersonation to obtain money or sensitive information or install malware. But, instead of using generic email content and the front of a trusted brand, bad actors will use personalized correspondence to manipulate targets into transferring money, handing over sensitive information, or granting access to an otherwise secure network.

Because of the personalized nature of these emails, they are not sent to hundreds of people. Instead, they’re sent to one person or a small, targeted group like a specific department within an organization, oftentimes “from” a source that’s trusted by the target(s) like a supplier, a line manager, or CEO.

Whereas a phishing scam simply requires a believable email template, potentially a look-a-like landing page or an infected attachment, a successful spear phishing attack requires more effort. Given the personalized nature of a spear phishing email, a cybercriminal will have to do a bit of due diligence to ensure the email is believable and therefore effective.

Example of spear phishing email

Looking at the example above, we can see how a spear phishing email resembles a phishing email. The sender is impersonating someone else, in this case, Tom Adams, a senior employee at Dorling Clayton. Likewise, there’s a clear call to action that motivates the user to act.

There are noteworthy differences, though.

To start, the email is highly personalized. The target is addressed by name and the sender demonstrates a lot of knowledge related specifically to Laura’s organization and, it would seem, Tom Adams himself, including conferences he’s speaking at and organizations within his supply chain. What’s more, the attacker is leveraging Tom’s senior position within the company to coerce the target to act quickly.

If you got an email with an urgent request from a Senior Partner, what would you do?

A savvy recipient may notice that the sender domain looks suspicious. But, it’s rare for people to scrutinize sender domains and almost impossible for them to do so on mobile phones – where a lot of us send and receive emails – because the domain is usually hidden, with only the display name visible.

On mobile, only sender names are displayed. Email addresses are typically hidden.

Under pressure to perform, many people would pay the £11,522 into the account requested without asking any questions. Unfortunately, this swift action would be bad news for Dorling Clayton as the money would be delivered to a scammer, not SoBank.

This is a classic example of CEO Fraud.

Defense strategies for phishing

Because phishing schemes have been around since the mid-90s, there are a handful of solutions for both consumers and businesses that can help decrease the number of fraudulent emails that land in your inbox. These include the following:

  1. Spam Filters: Created and installed by Email Service Providers (ESPs) like Gmail, spam filters sort incoming messages based on a programmed set of rules. Emails with known viruses or sent from blacklisted domains will either be automatically redirected from your inbox into a junk folder or won’t be delivered at all. Think of this as your first line of defense.
  2. Secure Email Gateways (SEGs): A step above spam filters, SEGs are optimized for better spam detection and have therefore historically been an important part of  business’ security framework, in particular for large-scale bulk email detection.
  3. Training: Whether done via regular phishing simulations or cybersecurity awareness sessions, training is invaluable for both individual employees and the larger organization. After all, it is people who are controlling all of our data and networks.
  4. Email Authentication: In order to prevent direct impersonation of an organization’s domain, the organization can enforce a DMARC policy. Unfortunately, though, only 51% of Fortune 500 companies have adopted this email-authentication standard.

These solutions certainly help mitigate risk, but millions of phishing emails evade detection by filters and gateways and dupe well-trained people everyday. That means individuals must still be vigilant in inspecting emails before downloading an attachment, clicking a link, or otherwise divulging sensitive information.

To stay safe on email we recommend that you:

  1. Review the email address of senders and look out for impersonations of trusted brands, including display name impersonation and domain impersonation.
  2. Always inspect URLs in emails for legitimacy by hovering over links before clicking on them
  3. Pay attention to differences – that may be very subtle – in website content if you follow a URL after inspecting it
  4. Never divulge personal information if you don’t trust or recognize the sender or if you have any doubts about the legitimacy of the email. Genuine brands generally won’t ask you to share sensitive personal information via email. If you’ve been prompted to, investigate and contact the brand directly, rather than hitting reply

Interested in learning a bit more? Click here for more information on how to identify and prevent phishing attacks.

Defense strategies for spear phishing

The very nature of spear phishing attacks – low-volume, high-personalization, and often zero-payload – means that they’re even more difficult to spot and prevent than phishing attacks. Unfortunately, though, many businesses are employing the same tools and techniques to protect their employees against these more targeted variants.

The problem? Impersonation can be nearly impossible for people and rule-based technology to detect when bad actors put a great deal of effort into researching their target and the people or companies they impersonate.

An individual or tool would require an in-depth understanding of the minutiae of human relationships within a particular company and advanced knowledge of common impersonation techniques to detect this type of threat.

That’s a tall order.

While SEGs might reject or flag emails sent from well-known domain impersonations, they can struggle to detect complex variants or domain spoof. Employees – armed only with some security training at best – are then left as the last line of defense. And, with average click through rates of spear phishing attacks at 10% – this can put a business’ people, data, and systems at risk.

How can machine learning detect impersonation?

To manage the problem of sophisticated impersonation, businesses need to invest in machine learning (ML) tools like Tessian Defender.

Trained on historical email data, Tessian Defender understands a company’s complex network of relationships and the context behind each email. This way, it’s able to detect a wide range of impersonations, from obvious payload-based attacks to subtle social-engineered ones.

By analyzing hundreds of data points – from the language patterns in an email to the domain and IP address contained in the header, among others – Tessian’s explainable ML algorithms successfully prevent spear phishing attacks by flagging anomalous emails to users with clear, educational warnings.

A warning will look something like this:

Notice what’s been flagged as suspicious about the email: the domain, the reply-to address, and the language. The user is then empowered to make a more informed decision about how to interact with the email, and administrators have oversight into which employees are targeted by these inbound attacks and whether or not they’re heeding the warning.

While Tessian Defender can and will help protect employees from spear phishing attacks and help organizations monitor trends in activity, it’s important to understand from the outset whether or not you’re an especially susceptible target.

Who is most likely to be targeted by a spear phishing attack?

When you consider the aim of a spear phishing attack – to steal data or money or infect a network with malware – it’s not surprising who the most likely targets are. They’ll tend to be those people with more privileged access to all of the above as well as those most embedded in supply chains. Here are some of the most targeted departments:

  1. Finance
  2. Human Resources
  3. Operations
  4. Legal

Of course, with so much information available online through a company’s website, press releases, and social media like LinkedIn, cybercriminals can craft an email that could fool anyone, from any department. New joiners tend to be especially vulnerable targets in Business Email Compromise or CEO Fraud because they may be unfamiliar with an organization’s processes and may be particularly keen to impress the colleagues or customers bad agents often impersonate.

High-ranking employees, high-risk

With that said, though, even the most risk-aware individuals can be duped, depending on when the email is sent, the tone in which it’s delivered, and who the perceived sender is.  For example, whaling scams are targeted specifically at C-level executives because they simultaneously have their attention divided across many parts of the business and have access to significant amounts of sensitive information. That, combined with busy schedules and a tremendous amount of pressure, means that critical mistakes can – and have – happened.

In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account.

Ever-evolving threats to hack the human

Cybercriminals are using increasingly sophisticated techniques to trick unsuspecting people into handing over sensitive information or granting access to controlled networks, and it’s imperative that organizations stay ahead of the curve. After all, just one successful spear phishing attack can result in the extraction of millions of dollars, devastating data loss, and incalculable reputational damage.

Prevent spear phishing attacks in your organization with Tessian Defender

To learn more about how organizations across industries are using Tessian Defender to prevent sophisticated, highly-targeted spear phishing attacks, read some of our customer success stories here.

For more information about how Tessian can be quickly and easily deployed to Office 365, Exchange, and G-Suite to protect your people, data, and networks all without disrupting workflow or impeding on productivity, request a demo now.