Check out all of our upcoming events

Blog

Latest cybersecurity news, insights and commentary by Telesoft engineers and specialists

Phishing vs Spear Phishing: What are they and how can you avoid them?

Written by Telesoft Engineer on Monday, 24 February 2020. Posted in Cyber

Spear Phishing

Spear Phishing is a widely used technique by malicious actors with an estimated 88% of global organisations being targeted by Spear Phishing in 2019, according to a survey conducted by Proofpoint.

Spear Phishing provides an excellent opportunity for malicious actors to bypass security systems and deliver malware to victims within an organisation, without ever having to enter the network or organisation in person.

Spear Phishing attacks are increasing every year and falling victim to such an attack can have devastating consequences for both organisations and individuals, therefore it is essential to know what to look out for and how to prevent becoming the next victim.

What is the difference between Phishing and Spear Phishing?

Spear Phishing stems from Phishing. Phishing is the technique of creating a scattergun blast of emails to a large number of victims and hoping that at least one person will reply with personal information or open a link containing in order to release malware of some description.

Spear Phishing, however, is much more refined. It is a targeted attack towards specific individuals usually via email (although it can be executed via phone calls, text messages, applications or social networks) with the intent to either infect the victim’s device with malware or trick them to replying with sensitive information.

Their ultimate goal is to gain access to the individual’s device so they can gather sensitive information and/or gain further access to their accounts & data. Due to the success of Spear Phishing we’ve witnessed increased phishing attacks year on year with no signs of it being stopped.

Breakdown of an email Spear Phishing attack

This breakdown focuses on the email vector of Spear Phishing, however the same principle applies to the other methods.

An unsuspecting target receives an email that portrays itself as a legitimate and trusted source by mimicking the same mannerisms and style of real trusted sources. This tricks the user into thinking the email is safe and can be trusted to open any links within when in reality these links actually lead to websites capable of infecting their device with malware.

Alternatively, the email may not contain any links at all and is instead aimed to trick the user into replying with sensitive information. The malicious actor can then use this information to gain access into their accounts/organisation, or for further social engineering purposes against their organisation such as the image below.

 

Phishing example

Figure 1 – Amazon Prime Subscription Phishing Attempt

The attack relies on the malicious actor’s ability to trick the recipient into thinking the email is legitimate. In the above example, the user has an Amazon Prime account associated with the email to which the Spear Phishing attempt was made, which had been recently renewed. Whilst a Phishing email would likely be much more vague ie ‘Dear sir/ madam’, a Spear Phishing attack is deliberate.

This makes a Spear Phishing attack much more difficult to identify and with employees not being trained to know what signs to look out for or simply a lack of vigilance, the attacks are becoming more and more successful.

How damaging can Spear Phishing be?

One of the highest-profile attacks was initiated via a Spear Phishing email was in 2015 on the Ukrainian power grid. Attackers were able to gain access to the systems used throughout the Ukrainian power grid covertly months before they executed their main attack which resulted in a power outage affecting thousands of end users.

Whilst the final attack was a carefully orchestrated attack using a number of different vectors from Denial-of-Service on customer call-centres, IT destabilisation and SCADA system infection, the point of infiltration was from a Spear Phishing email opened by one of their employees. This attack highlights the possible scope of damage a single Spear Phishing email can have on an entire organisation.

What steps can you take to protect yourself?

There are a number of ways to protect yourself and your organisation from Spear Phishing attacks. The first line of defence is reducing the human error factor; train yourself/employees to know what to look out for and what to do if they think they’ve encountered a Spear Phishing attempt. Letting your IT security know you may have received a Spear Phishing attempt will allow them to assess whether it was a spammed attempted or if your organisation is being targeted specifically.

On an IT level there are a number measures you can take such as encryption to prevent data access without correct authentication, multi-factor authentication, DMARC authentication to prevent domain spoofing and proactively investigate any reports of possible Phishing attempt.

Summary

User error is human, therefore as long as humans remain the ultimate end user in a network, social engineering attacks such as Spear Phishing will continue. However, with training and appropriate security procedures and policies in place, organisations can reduce the risk of falling victim, or at least the potential fallout if they do fall victim.

About the Author

Telesoft Engineer

Telesoft Engineer

The Engineers here at Telesoft are tackling the most challenging issues facing the Cyber and Telecom industries, working on problems that no one is even thinking about yet. 

The 'Tech Talk' blog has been created to give our Research and Development, Hardware and Software Engineering Teams a voice, creating posts that detail what technologies and techniques we are using to create our cutting edge products. So expect lots of interesting and varied subject matters.  

Created by Engineers, for Engineers.

Information cookies

Cookies are short reports that are sent and stored on the hard drive of the user's computer through your browser when it connects to a web. Cookies can be used to collect and store user data while connected to provide you the requested services and sometimes tend not to keep. Cookies can be themselves or others.

There are several types of cookies:

  • Technical cookies that facilitate user navigation and use of the various options or services offered by the web as identify the session, allow access to certain areas, facilitate orders, purchases, filling out forms, registration, security, facilitating functionalities (videos, social networks, etc..).
  • Customization cookies that allow users to access services according to their preferences (language, browser, configuration, etc..).
  • Analytical cookies which allow anonymous analysis of the behavior of web users and allow to measure user activity and develop navigation profiles in order to improve the websites.

So when you access our website, in compliance with Article 22 of Law 34/2002 of the Information Society Services, in the analytical cookies treatment, we have requested your consent to their use. All of this is to improve our services. We use Google Analytics to collect anonymous statistical information such as the number of visitors to our site. Cookies added by Google Analytics are governed by the privacy policies of Google Analytics. If you want you can disable cookies from Google Analytics.

However, please note that you can enable or disable cookies by following the instructions of your browser.