How many people are able to identify spear phishing emails and phishing email? These two threats look similar, but they are distinct enough to be considered two different types of attack. Hyper-awareness, as we like to call it, is the key to cyber security.
What’s phishing?
Let’s begin with the bizarre spelling. Admirers of the phone Phreaks, the first generation of hackers that ruled the 1960s-1970s, coined the term “Phishing”. Phone phreaks started a long tradition in cyber warfare by using a simple trick: they used a Cap’n Crunch cereal box to blow a whistle into a phone receiver to imitate a Hertz tone and tricked the switching circuit of the phone company into giving them a free call. Although it may sound absurd to us, this hacking innovation was revolutionary at the time. It exploited a flaw in call-routing switches that depended on in-band signals and gave rise to a new generation of phone phreaks.
Phishing is a hacking technique which is the digital equivalent to “casting a network.” It involves sending emails to trick users into clicking on URLs that lead to landing pages that spoofs a well-known brand like Microsoft. This web form is used to collect login credentials and personal information. Common phishing emails may include the following: “Your account has been locked,” “Please change your password” or “Please update bank account information”.
Sometimes, it is nearly impossible to tell the fake web forms apart from their real-life counterparts. However, URLs can provide clues to what lies beneath the surface. For instance, a phishing URL purporting to be from Bank of America might direct you to a site with the domain name “www.bankofamericaincu.co” (The bank’s actual domain is www.bofa.com). You might then share your login credentials, social insurance number, and other personal information with criminals who created it.
It is common to use phishing to get login credentials for cloud applications such as Office 365. An email will be sent by a phisher asking the user to log into their Office 365 account in order to gain access to the platform, retrieve a file or update their account information. Clicking on the URL will take you to a fake Microsoft webpage where your credentials are collected, much like the Bank of America example.
What’s spear phishing?
Phishing, in its generic form, is a mass distribution process that involves casting a wide net. Phishing campaigns don’t target victims individually–they’re sent to hundreds, sometimes thousands, of recipients. Spearphishing is however, highly targeted and only targets one individual. Hackers pretend to be you. It’s personal.
Spear phishing attacks are after something specific. One common scheme involves business email compromise. In this scenario, a cybercriminal pretends to be a senior employee and can request wire transfers (to fraudulent businesses), direct deposits changes, or other information. The attacker might use social engineering to appear as friends or colleagues in order to connect with you. This can be done by searching you on social media and the Internet. The attacker may also obtain information from data breaches via peer-to-peer (P2P), protocols such as BitTorrent.
The following scenario is spear phishing: You are Bob, and Joe Smith, your CEO. A spear phisher notices you on LinkedIn, and becomes friends with Joe. He follows you on Facebook, learns about your favorite teams, and is interested in the project you are working on at work.
The attacker then creates an email account under the name joesmith21@gmail.com. While real Joe is on vacation–information that the phisher has gleaned from Facebook–fake Joe sends you an email that says, “Ugh, Bob… I am on vacation, but I need a wire transfer of $100,000 to a contractor in China for our project. It is urgent that you take it care of. These are the wiring instructions.
You might not be paying attention and complete the transfer. This is a common form of email compromise in business. Even those who are trained not to do this often get anxious when the “CEO”, or someone else, is pressing them to do something. It’s Joe, not some stranger… Or so you think.
Phishing vs Spear Phishing
Spear phishing and Phishing are two common types of email attack that try to trick you into clicking on malicious links or attachments. It is all about the target.
- Phishing email are sent to large numbers of recipients more or less randomly with the expectation that only small proportions will respond. A fake email might arrive from a known delivery company, informing you that your package was delayed. Click the link to download malware to your device. You might also be asked for your social security number, name, address and address. This information could then be used to commit fraud or identity theft, or sold on the blackmarket.
- Phishing emails are designed to get one recipient to reply. By using social media, criminals can target a specific person within an organization and create a fake email for them. You might share that you are going to Chicago in the near future online. Then, you might receive an email from a colleague saying, “Hey Joe’s Grill, while you’re there, you’ve got to check their menu.” Once you click the link, malware will be installed on your computer. A second version could be from your CEO. He’s traveling abroad and claims his wallet, phone, and briefcase were stolen. Can you transfer five thousand dollars right away to this number?
Why is spear phishing awareness important?
Spear phishing attacks are the root of many data breaches that can be very serious and costly. According to the FBI’s 2018 Internet Crime Report 2018, US business email compromise cost US companies $1.2 billion. Phishing cost US victims more that $48 million.
Email filters can be used to stop large-scale phishing emails containing known URLs. A traditional email filter can also catch phishing emails that contain known phishing URLs. If a phishing URL is unknown or you receive a personalized email from Bob, it will pass all filters.
Phishing, especially spear phishing is a highly dangerous and effective attack vector. However, defense is possible. The Phishing Awareness Training can teach users how to spot phishing emails. Vade Secure also leverages artificial Intelligence, which includes machine learning, to identify malicious URLs and attachments as well as attempts at spoofing the identities of business associates and colleagues.
