As security practices evolve, cybercriminals are finding new methods to carry out their attacks. Using highly personalized email attacks, carefully designed spear phishing attacks are being used to steal sensitive information such as login credentials or financial information, which is then used to commit fraud, identity theft and other crimes.
A recent industry report from Barracuda found that spear phishing attacks are becoming increasingly common, often bypassing traditional email security. As companies get smarter about security, attackers are executing on tailored spear phishing campaigns using sophisticated social engineering tactics in the hopes of attaining more lucrative payoffs.
Spear phishing emails are designed to evade traditional email security measures, including gateways and spam filters, which rely on blacklists and reputation analysis. They are often sent from high-reputation domains or already compromised email accounts and do not usually include malicious links or attachments.
Attacks typically use spoofing techniques and include “zero-day” links, which are URLs hosted on domains that haven’t been used in previous attacks or that have been inserted into hijacked legitimate websites, so they are unlikely to be blocked by URL protection technologies. Scammers also take advantage of social engineering tactics in their attacks, including urgency, brevity and pressure, to increase the likelihood of success.
Most Spear Phishing Attacks are Brand Impersonation Scams
In most brand impersonation attacks, which make up 83% of attacks, scammers use email to impersonate a trusted entity, such as a well-known company or a commonly-used business application. Typically, attackers try to get recipients to give up account credentials or click on malicious links. Attackers often use domain spoofing techniques or lookalike domains to make their impersonation attempts convincing.
Barracuda found that nearly one in five of these attacks involves impersonation of a financial institution. The most common brands impersonated were Microsoft, Apple, DocuSign, Chase and UPS.
Using carefully designed templates that impersonate top brands, scammers send an email claiming your account has been frozen and giving you a link to reset your password. Sometimes, these emails ask you to review your account or a document. If you click on the link provided, you’ll arrive at a phishing website; it looks legitimate, but it’s designed to harvest your login credentials. If you enter your username and password on the fake site, the crooks then gain access to your real account and they can steal confidential data, conduct financial fraud and launch more targeted attacks within your organization.
Sextortion Scams Increasing, Becoming More Sophisticated and Bypassing Email Gateways
In most sextortion scams, attackers leverage usernames and passwords stolen in data breaches, to send threatening emails and trick victims into giving them money. Often, attackers spoof their victim’s email address, pretending to have access to it, to make the attack even more convincing.
The scammers claim to have a compromising video, images or other content allegedly recorded on the victim’s computer and threaten to share it with all their email contacts unless they pay up. Typically, the ransom is a few hundred dollars; hackers prefer Bitcoin payments because they can’t be traced.
Business Email Compromise Attacks Fewer, But Far More Costly
Business email compromise attacks make up only 6% of spear phishing attacks but have caused more than $12.5 billion in losses since 2013, according to the FBI.
In most business email compromise attacks (also called CEO fraud, whaling and wire transfer fraud), scammers impersonate an employee within the organization. Attackers use spoofing, social engineering tactics and compromised accounts to trick employees into disclosing sensitive financial and personal information. Often, these highly personalized email attacks do not contain malicious links or attachments, making them very difficult to detect with traditional email security.
Hackers spend time researching an organization and its employees before launching an attack. They impersonate an executive or other employee in an email, requesting a wire transfer or personally identifiable information (PII) from finance department employees and others with access to sensitive information. Once the money has been transferred to a fraudulent account, it’s usually impossible to get it back.
More than 1,000 unique email domains are used to launch business email compromise attacks, but just 10 top domains are used in 62% of all attacks.
Preventing Spear Phishing Attacks: Technology and Training
Here are some things your organization can do to recognize and mitigate spear phishing attacks, keeping your highly sensitive data safe:
- Take advantage of artificial intelligence. Scammers are adapting email tactics to bypass gateways and spam filters, so it’s critical to have a solution in place that detects and protects against spear phishing attacks, including business email compromise, brand impersonation and sextortion. Deploy purpose-built technology that doesn’t solely rely on looking for malicious links or attachments. Using machine learning to analyze normal communication patterns within your organization allows the solution to spot anomalies that may indicate an attack.
- Don’t rely solely on traditional security. Protect against attacks that use “zero-day” links. Don’t rely on traditional email security that uses blacklists for spear phishing and brand impersonation detection.
- Deploy account-takeover protection. Many spear phishing attacks originate from compromised accounts; be sure scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised and that remediates in real-time by alerting users and removing malicious emails sent from compromised accounts.
- Use multi-factor authentication. Multi-factor authentication, two-factor authentication and two-step verification, provides an additional layer of security above and beyond username and password, such as an authentication code, thumbprint or retinal scan.
- Train staffers to recognize and report attacks. Educate users about spear phishing attacks by making it a part of security awareness training. Ensure staffers can recognize these attacks, understand their fraudulent nature and know how to report them. Use phishing simulation for emails, voicemail and SMS to train users to identify cyberattacks, test the effectiveness of your training and evaluate the users most vulnerable to attacks.