In 2022, spear phishing was the number one type of cyberattack used by scammers. The direct financial loss as a result of those can only be imagined — few organizations like to boast about their fraud losses.
What exactly is spear phishing? How can you effectively protect your company against it? Keep reading to find out!
Trustpair is an anti-fraud solution that blocks any financial effect of spear phishing attacks by continuously controlling payments before they’re executed. Contact an expert to learn more!
What is spear phishing?
A definition of spear phishing
Spear phishing is a personalized type of cyber-attack. It targets individuals within an organization to steal sensitive data, usually through fraudulent emails.
Using social engineering techniques and email messages, hackers try to get their victim-to-be to take a dangerous action, prompting them to click on a link or reveal their login credentials.
This stolen data is then used to commit payment fraud, or sold to the highest bidder on the dark web. In both cases, spear phishing means trouble as it creates a data breach in your network, opening the way for further attacks.
How do spear phishing attacks work?
Spear phishing requires preparation. Cybercriminals have to target the right person within an organization who has access to the data they’re trying to steal. They do so under false pretenses, by impersonating someone their victim trusts. Phishing scams are made easier by identity theft.
This can be a legitimate supplier, a client, or even a high-level executive of their own company — the latter being called CEO fraud.
Spear-phishing is usually done through email, although with deep voice technology phishing by impersonating someone on the phone (vishing) is also on the rise.
Fraudsters always initiate the conversation. They call or email asking the victim to commit an action, such as:
- Click a link that will redirect them to a spoofed website,
- Download an attachment with malware or spyware,
- Ask to reply with sensitive information.
Those malicious emails appear legitimate as they use social engineering to get the recipient to comply. They’ll usually use an element of urgency so that the victim feels pressured and wants to do “the right thing” for their company. They’ll realize too late (if ever) that their action compromised it.
What are the differences between phishing and spear phishing?
Spear-phishing is a highly personalized type of cyberattack. It targets one specific individual, impersonating one specific and trustworthy contact.
It’s the crème de la crème of online fraud and requires preparation. Quality matters more than quantity. However, the payouts for scammers are higher. In whaling attacks, for example, targeting CEOs and other C-suite executives can earn them millions.
Phishing, on the other hand, is all about quantity. Phishing emails are very generic as they are sent in mass campaigns. As they’re not personalized, fewer people tend to fall for them. But because they’re done at a bigger scale, statistically, they’ll still get some money out of it.
Where phishing is easier to spot, spear phishing scams tend to be more dangerous as they’re harder to detect.
Real life examples of spear phishing
Spear phishing comes in various shapes and forms. Scammers can send:
- A fake link to a “Zoom meeting” that’ll download malware.
- A request to “secure your account” by clicking on a link.
- An email that looks legitimate that contains “important attachments”.
- An invitation to an event with more information under a link.
By definition, spear phishing attacks are highly personalized: attackers tailor them as much as possible to increase their chances of success. Social engineers use information they find online (like on social media profiles) to curate a highly specific message.
An email can for instance contain a link to an event that “sounds fun, want to come?” or even “this new business book made me think of you, check it out!”.
The most benign messages can be the most dangerous, as they come across as low-risk and genuine. That’s especially true if identity thieves use spoofing, meaning they pretend to be someone they’re not.
Another real-life spear phishing example is an attack on Levitas Capital. Fraudsters managed to install malware on the co-founder’s device by sending a fake Zoom link. They used the information stolen by their software to later authorize fraudulent payments. The company lost about USD 5M (8M AUD) and declared bankruptcy a few months after the incident.
How can you prevent and detect spear phishing?
Increase security
Fortunately, there are several things you can do to protect yourself against unsolicited spear phishing attacks.
Your first layer of protection to avoid phishing comes from your safety measures, such as:
- Installing a complete solution with antivirus, anti spam, anti ransonmware and antispyware on all your devices,
- Restricting access to sensitive data to specific devices and/or locations,
- Requiring strong passwords and double authentication factors.
It’s also important to have a contingency plan in case an attack slips through your security measures. For example, you can use the 4-eye principle: by requiring two different people to look at a suspicious email, you reduce your risks.
We also suggest adopting the segregation of duties. This concept suggests dividing your key operations into different individuals. For example, for a more secure procurement process you’ll have:
- One employee receiving invoices,
- One preparing the campaign payment,
- One other authorizing and sending the payment.
That limits the risk of financial fraud being committed, from third-party fraud to internal fraud.
Learn all there is to know about payment fraud in our latest fraud report!
Become a cyber-aware company
More than setting up an array of measures, you want to work towards becoming a cyberaware organization. Your employees need to know what spear phishing (and other types of cyberattacks) look like to effectively protect yourself.
Regular cybersecurity training should be provided to the relevant people. Show them what risks exist, and also how to recognize phishing, spear phishing, and the different types of bank account fraud. As fraud attempts become more elaborate, it’s important to know the latest schemes to always be protected.
You can ask your IT department to share their best practices, explaining why they’re important. They can also run mock-up cyberattacks, which can give you a good idea of what you need to improve.
Use anti-fraud software
Fraud detection solutions (like Trustpair) protect you from the effects of spear phishing attacks. If a scammer manages to get through your security measures, they still wouldn’t be able to steal money.
That’s because our platform continually and automatically controls your third-party data. We ensure your vendor’s data is always up-to-date by checking it against databases internationally. We check that:
- The bank account numbers are correct,
- The account is under the right name,
- Both of those elements match.
That means you always know you’re paying into the correct bank account.
Even if an attacker uses an employee’s login to access your payment software, they wouldn’t be able to send a payment to their own bank account — which is one of the ways third-party financial fraud is carried out.
Trustpair also protects you from wire transfer scams, where your employees modify your supplier’s credentials for a hacker’s without you noticing. Any fraudulent attempts are blocked by our platform, and an alarm is sent to you straight away. We’ve worked with 200+ companies across the world to completely eradicate the risk of financial fraud. Contact an expert to learn more!
Key Takeaways:
- Spear phishing is a form of personalized cyberattack that often happens via email. Hackers target a specific individual to get them to reveal confidential information and commit fraud.
- You can protect yourself by increasing your security measures, educating your teams, and using Trustpair to block the effects of spear phishing.
