Adifferent than the classic one Phishing, which is designed to attack the broadest possible group of victims, spear phishing is an attack on a specific organization or person.
With spear phishing, the attacker no longer disguises himself as a large organization (such as Amazon, banks, etc.) in his emails, but becomes more specific and poses as an employee, superior, friend or business partner.
Gaining the victim's trust is an essential factor for a successful spear phishing attack. In order for this to be achieved, it is essential that the attacker can find out as much information as possible. One way he achieves this is through: Social Engineering and gathering information from public sources such as Facebook and Instagram.
Unlike normal phishing, a specific person or group, for example a department within an organization, is attacked. The hacker impersonates a well-known, usually higher-ranking person within the company. Out of respect and perhaps also fear of losing their job, many victims will supposedly fall for the phishing attempt.
It is also necessary to provide information that confirms the alleged identity of the hacker. If he can convincingly pose as a superior, then he has a good chance of luring victims into the phishing trap.
It is also necessary that the victim is given a logical reason for the requests in the message. Because an illogical reason will appear suspicious to him and increase the chance that he will question the phishing.
Particularly popular spear phishing victims are board members and employees in senior positions. Because these so-called “whales”, i.e. “high-ups” within an organization, often have special authorizations and access. However, in order for such an attack to be successful, a sophisticated scenario and extensive information from the company and the victim are required.
An incident in the summer of 2020 showed us the impact a targeted attack can have on employees, when the well-known social media platform Twitter was the target of a spear phishing attack.
The attackers specifically targeted the accounts of well-known personalities such as Elon Musk, Bill Gates and Barack Obama.
Employees were specifically contacted by telephone in order to obtain identities, which were then used specifically against other employees with user management rights. Using the captured identities and access to the internal network, access was then gained to 130 accounts, of which 45 tweets were published. Furthermore, more than 30 direct messages were read and data from at least seven accounts was downloaded.
This incident shows how dangerous a spear phishing attack can be. Especially in larger companies with classic, steep hierarchical structures, it is often the case that not all employees know each other. This significantly increases the success of such an attack. However, it must be noted that smaller companies are not spared from phishing attacks, because ultimately the company is only as secure as the last employee makes it.
In order to ensure this security, it is advisable to sensitize employees. This can be done, for example, through training and User awareness campaigns be achieved.
