Not all phishing scams embrace “spray and pray” techniques. Some ruses rely more on a personal touch.
Enter spear phishing schemes
In this type of ploy, fraudsters customize their attack emails with the target’s name, position, company, work phone number, and other information to trick the recipient into believing that they have a connection with the sender. Yet the goal is the same as deceptive phishing: trick the victim into clicking on a malicious URL or email attachment so that they will hand over their personal or business data. Given the amount of information needed to craft a convincing attack attempt, it’s no surprise that spear-phishing is commonplace on social media sites like LinkedIn where attackers can use multiple data sources to craft a targeted attack email.
Techniques Used in Spear Phishing
Provided below are some of the most common techniques used in spear phishing attacks:
Housing malicious documents on cloud services: CSO Online reported that digital attackers are increasingly housing their malicious documents on Dropbox, Box, Google Drive, and other cloud services. By default, IT is not likely to block these services, which means the organization’s email filters will not flag the weaponized docs.
Compromise tokens: The security news platform also noted that digital criminals are attempting to compromise API tokens or session tokens. Success in this regard would enable them to steal access to an email account, SharePoint site, or other resources.
Gather out-of-office notifications: Attackers need lots of intelligence to send a convincing spear-phishing campaign. Per Trend Micro, one way they can do that is by emailing employees en masse and gathering out-of-office notifications to learn the format of the email addresses used by internal employees.
Explore social media: Malicious actors need to learn who is working at a targeted company. They can do this by using social media to investigate the organization’s structure and decide whom they would like to single out for their targeted attacks.
Examples of Spear Phishing Attacks
How to Defend Against Spear Phishing
To protect against this type of scam, organizations should conduct ongoing employee security awareness training that, among other things, discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in solutions that analyze inbound emails for known malicious links/email attachments. This solution should be capable of picking up on indicators for both known malware and zero-day threats.
