According to the 2018 Verizon Data Breach Report, phishing and pretexting are the two favorite tactics employed in social engineering attacks, used in 98% and 93% of data breaches respectively. And last year, the IRS noted a 400% surge in spear phishing against CEOs.
What is Spear Phishing?
Spear phishing is a targeted attack where an attacker creates a fake narrative or impersonates a trusted person, in order steal credentials or information that they can then use to infiltrate your networks. It’s often an email to a targeted individual or group that appears to come from a trusted or known source.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
Spear Phishing vs. Phishing
Spear phishing is a subset of phishing attacks. The end goals are the same: steal information to infiltrate your network and either steal data or plant malware, however the tactics employed by the two are different.
Phishing attacks cast a wide net: phishers are throwing hunks of bread into a lake, and they don’t care what kind of fish they catch – as long as you take the bait, they can get into the network. They’re not personalized attacks: they’re typically distributed to a wide group of people at a time, using something that looks vaguely legitimate in hopes that enough people will click on their link so that they can get more information or install malware.
Spear Phishing, on the other hand, targets a specific individual or group. They lure their victims with information that makes it seem like they’re a trusted or familiar source, with as much personal information as possible to make their approach look legitimate.
Spear Phishing Examples
The Russian cyber espionage group Fancy Bear allegedly committed one of the more famous spear phishing campaigns: using spear phishing techniques to infiltrate the Democratic National Convention to steal emails. They first obtained an updated contact list and then targeted high-level party officials, which lead them to Podesta’s Gmail account. They stole 50,000 emails in one day, and the rest is recent history.
Fancy Bear also allegedly used spear phishing to infiltrate Bundestag, part of the German Parliament, and Emmanuel Macron’s campaign in the French election.
Spear phishing is one of the more reliable social engineering methods employed by blackhats – which is what makes the defense against spear phishing both important and challenging.
Tips for Avoiding a Spear Phishing Attack
- Be skeptical: If you want to avoid being scammed you have to ask questions – both to the potential scammer and to yourself. As a general rule, don’t immediately comply with the first request you get. Ask a question, “why do you need that?” “What are you going to do with this data?” “No, I won’t buy you a Walmart gift card.”
- Be aware of your online presence: Spear phishers depend on a certain amount of familiarity with their target. The more information you share with the public, the more ammunition a spear phisher has to convince you to give them something.
- Inspect the link: Visually inspect the links in your emails by hovering over them. Scammers are pretty good at masking URLs or making them look similar enough to trick our human brains into thinking they are ok. If a domain looks like it’s overpromising, it probably isn’t legitimate.
- Don’t click the link: Instead of clicking a link in the email, use your browser and manually navigate to the destination. Avoiding a link sent in a spear phisher’s email should guarantee that you aren’t going to a malicious website. Make it a habit of going to the websites you trust instead of clicking a link, use https as much as possible, and use your bookmarks to keep track of your known good web destinations.
- Be smart with your passwords: We all know a modern computer can easily crack a short password. You should be using passphrases that are at least 16 alphanumeric characters long: write it down, or use a password manager service. Change passwords regularly, and practice basic internet security to keep your data safe.
- Keep your software updated: Security researchers and malware distributors are in an arms race, and we are caught in the middle. Security researchers do their best to update their Anti-virus and security software to match the most recent known attacks and patch vulnerabilities. Malware distributors are doing their best to find the next best hack, application, or vulnerability they can use to steal your data. As consumers, it’s important to stay up to date: patch vulnerabilities, and update security settings and software.
- Implement a company-wide data security strategy: If 1 out of every 100 spear phishing attempts is successful, it’s more than likely that some of your data will be compromised. One compromised users can lead to lateral movement, privilege escalation, data exfiltration, and more. Implement a layered security technique to protect against spear phishing on an enterprise level – and never underestimate the value of educating employees with security awareness training.
There are many ways to enhance your data security strategy to defend your users from phishing and spear phishing attacks. You can configure strict SPF rules to check and validate who is sending the emails. Implement a Data Security Platform to protect and monitor your data, and leverage security analytics to alert your team of suspicious behavior.
Want to learn more? Find out how Varonis can help prevent and defend against spear phishing attacks – and protect your data from being compromised or stolen.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.