From Phishing to Spear Phishing Campaigns: The Great Barrier Reef and How to Spot a Shark!

Paul Godfrey, IT Support Specialist 06 February 2020

Spotting Spear Phishing campaigns, even if you are the most tech savvy person in your company, is like spotting a needle in a haystack. They are unlike “normal” phishing campaigns that churn out millions of emails or more recently and most seriously text phishing, (see an example below) with the vain hope that 1 or 2 vulnerable individuals will take the bait and click on the link.

When it comes to Spear Phishing, think of the criminal as actually looking over your shoulder even before they have sent you anything. Sounds sinister ... THAT’S BECAUSE IT IS! These practices have successfully sent even the most cynical CTO down to the bank or had them transferring seriously sensitive data over to the perpetrators.

Spear Phishing is a bit of an art form but once you understand how it works or even more impartially who they are targeting, even the most subtle attacks suddenly stand out a mile. As emails containing Phishing in general increase year on year, spotting the scams is becoming increasingly more important to a company. Here are some of the underlying facts.

According to Symantec Internet Security Threat Report, in 2018 71.4% of targeted attacks involved the use of spear-phishing emails.

Checkpoint Research security report 2018 showed 64% of organisations have experienced a phishing attack in the past year.

With that in mind it begs the question, just how many weren't discovered or reported on? Getting into the mind of the cyber criminal is always difficult, but to understand phishing you have to understand that it comes in different levels. Essentially though all they want you to do is click on a link enabling them to send malicious code that will either blackmail you, collect your bank details, lock you out of your data or in the worst case set up a man in the middle attack and watch what you do in real-time without you knowing. The last one is most people’s worst nightmare, but thankfully is not too common.

Here’s an example of scamming a corporate organisation with more considered Phishing. A large corporate typically receives thousands of invoices to pay during the course of one day, which are received electronically with an invitation to download the PDF or click on a link to complete the payment. A cyber criminal could then start loading malware, introducing Trojans or just generally downloading all sorts of nasties that will impact on network security. All this happens just because the criminal has taken some time to possibly check out the email unification, or perhaps they have read that “Company A” and “Company B” do business together in a trade magazine. So with a little thought, a cyber criminal can download a logo and set up a legitimate looking invoice to pay. They then email it over and wait to see if it gets paid, with the added bonus of gaining access to the recipients computer/network if any links in the message are clicked. There are always a million ways to read these emails but please read everyone with extreme caution and always do your checks.

An example of Text Phishing

text example

I mention "text" Phishing because the more people use mobile devices for work, the more prevalent this type of phishing will occur. Above is a great example of what they text and what to spot, that I personally received the other week. If you receive anything remotely like this text then delete it immediately! It will typically come from an unknown mobile number, and once opened you will be invited to fill in your details – in this case for EE. One thing to always remember is that your network provider or bank will never send you texts to log into your account. It is also essential to look at the domain, which in this case caught me from clicking. As shown, the EE part is a subdomain of the primary highlighted, so it’s not an EE domain. I’m guessing though that if you have been down the pub for a few sherbets or are half asleep in the morning haze pre-Coffee, saw the great artwork and possibly were just a bit fuzzy then you would fill it out. Which of course, is what they want.

As I mentioned at the beginning of this blog, think of the Spear Phisher as someone looking over your shoulder. The trick is selecting the weakest individual in the senior management team or at board level. You would be surprised, by doing a bit of homework, just what is out there about you in a corporate capacity. Just finding out the email unification of your company opens up endless possibilities in types of attack available to the criminal, followed by delivery of that all-important email critical to every Spear Phishing attack.

Spear Phishing is upfront, personal and typically aimed at senior executives of corporate or high net worth individuals. They typically are seen as cash cows and easily duped within a high-pressure environment. An example of this would be tricking say a junior marketing executive by sending them an email from their MD asking them to urgently pay a £5,000 vendor invoice. This attack is based on the executive having received an email from the MD “urgently” asking for payment or to download a file, perhaps worded around the potential of losing an account, with the onus on urgency.

The reason this is so highly successful is that the criminal has identified a few basic, but really important things. They have identified one or two key executives that have sign off on larger purchases within the company, which is actually quite easy to find out using a basic LinkedIn search or possibly making friends on Facebook with staff in the organisation and slowly networking around the company getting snippets of info. It could even involve finding where they drink socially after work, networking and making friends that way, or could be as bold as an online date with a company employee. The premise is on good information, locally sourced and the main principle of this is to extract a large amount in one go.

At its core, this post is a heads up to be vigilant and although there are a lot of digital safeguards in place to stop this ever happening, it still goes to show you that a very carefully and precisely worded email could land the company 10K/20k lighter.

Watch what personal information you post on the internet.Look at your online profiles - how much personal information is available for potential attackers to view? If there is anything that you do not want a potential scammer to see, do not post it or at the very minimum make sure that you’ve configured privacy settings to limit what others can see.

Do not click links in emails if you think the sender is suspect. If an organisation, such as your bank, sends you a link then instead of clicking that link simply launch your browser and go directly to the bank’s site instead. Remember that you can also check the destination of a link by hovering your mouse over it and if the URL does not match the link’s anchor text or the email’s stated destination then there is a good chance that it could be malicious.

Many spear-phishing attackers will try to hide link destinations by using anchor text that looks like a legitimate URL. Don’t get caught out, the best thing to do is be alert to anything that is even slightly suspicious, even if you have to call the boss at 2am to clear it. Trust me, your boss will not mind.

And after all that doom and gloom, click here to find out what when one of the largest Spear Phishing operations unravelled after they tried to rip off Google and BookFace.

If you have any questions on phishing or how best to protect your network, contact us today!