When it comes to cyberattacks, the human dimension of the cybersecurity environment is a complex vulnerability. Without awareness, any employee, contractor or user is the most unprotected asset. A person who can be easily exploited with a social engineering attack.
Because of inherent human characteristics — ignorance, fear, misplaced trust — people are by nature very susceptible to being manipulated to let down their guard. They then carry out actions that are contrary to the norm, such as clicking on links or giving away sensitive information. Social engineering attacks take advantage of these attributes, as well as ineffective organizational and technology security controls.
In this article, we will examine the latest techniques in spear phishing, and also opportunities that exists to mitigate these threats by implementing the right people, organizational and technological controls.
The majority of phishing emails are generic emails sent to a random population. Spear phishing emails are a small subset that require two pieces:
Together, these efforts invariably lead to higher response rates. The Proofpoint State of the Phish 2023 report highlighted that spear phishing prevalence was approximately 74% of attacks in 2022, as compared to bulk phishing at 85%.
As long as email remains a primary communication channel in almost every corporate environment, the likelihood of sophisticated spear phishing attacks will remain high.
(Learn how to prevent spear phishing with Splunk.)
Similar to other phishing attacks, there are three main phases in a spear phishing attack:
This is the reconnaissance stage where specific information about the target’s identity and area of interest is gathered. This PII may be obtained in several ways:
For a spear phish, detailed information about the target’s organizational information is critical in enhancing the probability of a successful attack. These details can include function (e.g., division, department), role and business operations — all of which point specifically to what the target handles that may be applied in the attack.
Here, the information garnered from the bait is applied in crafting an appropriate email message for the target. This is different from generic campaign messages sent through mass malware spam, as the spear phishing attack involves a customized message crafted through social engineering techniques, such as posing as a trusted source, or presenting information that the target is familiar with.
A replied email obtained from a data breach can be one such avenue for a spear phish attack. According to MITRE, the spear phishing email would involve one or more of 3 sub-techniques of planting malware through it:
This is the final phase of the attack where the target is converted into a victim after they respond to the hook. The social engineering techniques come into play, as the victim ends up circumventing existing checks and balances such as bypassing email restrictions to open attachments and click links.
This allows the malicious code to be planted into the victim’s device, or the victim ends up following instructions to carry out the attacker’s plans such as processing a supplier payment or providing access to confidential data.
Spear phishing is rated as a high value attack since the motivation for them is mainly financial fraud or related crimes. The SlashNext 2022 State of Phishing report found a 54% rise in zero-hour (never seen before) threats, with a 78% focus on delivering well-crafted zero-hour spear phishing attacks. Most of these attacks involved credential harvesting, while the rest included scams, malware, ransomware and exploits.
A specific application of spear phishing is business email compromise (BEC) attacks. These tend to have a high success rate since they involve spoofed emails that look like they’re coming from a trusted source — a company executive, employee or vendor. The 2022 Microsoft Digital Defense report reported BEC emails as 0.6% of all phishing emails, yet are the costliest financial cybercrime, with an estimated $2.4 billion USD in adjusted losses in 2021, representing more than 59% of the top five internet crime losses globally.
From a financial perspective, whaling is usually at the forefront of spear phishing, as it involves targeted phishing attacks, aimed at senior executives such as CEOs, CISOs and CFOs. Whaling attacks are designed to encourage victims to perform a secondary action, such as initiating a wire transfer of funds.
However, an article by Forbes indicates a shift in tactics has seen mid-level employees being impersonated more often than company executives. This is likely due to the C-Suite occupiers facing greater scrutiny — which in turn builds their awareness and being wiser to such forms of attack.
The recent spectacular rise of generative AI like ChatGPT has also thrown a spanner in the works, in terms of detecting spear phishing attacks. Previously, it was easy to identify such emails due to their poor grammar, misspelled text or unfamiliar salutation.
But with generative AI able to create well-written, personal emails with infinite variations, the chances of the target or anti-phishing solutions being able to detect such emails is only going to get harder, according to Dark Reading.
(Explore what generative AI means for cybersecurity: it’s good and bad.)
The ISO/IEC 27005:2022 guidance on managing information security risks identifies insufficient security training as well as poor security awareness as examples of personnel vulnerabilities that may be exploited by social engineering attacks.
Anti-phishing solutions embedded to corporate email systems may provide a barrier to spear phishing emails going through, triggering blocking or quarantine when flagging standard signs such as:
But at the end of the day, the recipient — you — remains the first line of defense and must be regularly trained to identify such emails, countercheck even with phone calls, and when in doubt be able to reach IT support quickly for assistance. Regular internal spear phishing campaigns also play a crucial role in inducing a heightened state of awareness within the corporate environment.
In addition, segregation of roles and limiting of privileged credentials through organizational policies and IT systems can limit the impact of a spear phishing attack. For example, a maker-checker scenario can prevent a victim from raising and executing the same payment transaction. However, this may not be practical for solo-preneurs or small-sized organizations.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.