Psybersafe Blog

Read our short, informative blog posts to understand more about cyber security and how people’s behaviour is key to improving it.

Could you be spear phished?

(3 min read)

This could be a short blog, because the answer is almost certainly ‘yes’! Anyone can be a target for a spear phishing campaign – a variation on the standard ‘blanket’ phishing attack.

 What is spear phishing? It’s a cyber attack that is specifically targeted at an individual. Targeting victims for these attacks means that the criminals can be much more focused, much more believable, and therefore much more successful.

Just think about it – a ‘regular’ phishing attack is very general. It’s aim is to generate a return from a percentage of people who receive it – and phishing emails are often sent to hundreds or thousands of email addresses at once.

General phishing emails 700x300

For that reason, the email itself needs to be fairly vague. The criminals use psychology to trigger a desire in the reader to respond. But the message is usually broad, so that it has the widest appeal.

What changes with spear phishing?

In contrast to standard phishing scams, spear phishing is sophisticated and much more dangerous, because it targets an individual and is designed to convince them completely that the phishing email is genuine.

In fact, according to website securityescape.com, spear phishing accounts for 65% of cyber attacks on organisations, with a single attack costing an average of $1.6m. And, worryingly, these stats show that over 40% of employees admit inadvertently clicking potentially malicious links, opening attachments and sharing security credentials.

It’s also becoming more common, as criminals see that they are getting great returns for their extra effort. And it does take some effort to mount a spear phishing attack.

How does it work?

Criminals build on the psychological success of general phishing emails to launch a successful spear phishing attack. First, they identify the organisation they want to target, and one or two people who work in the right departments. In many cases, this is the finance department, because they are the ones with access to the accounting process and the ability to move money. 

hooked targeted phishing 700x300

 Often using social media, hackers research the target individuals – if you think about the information you share on your Facebook or Instagram account, it’s not difficult for criminals to find out your home town, date of birth, school, hobbies, family and friends. 

Armed with this information, fraudsters may impersonate someone else in the business – often a department head, Finance Director or other Senior Manager.  They do this to intimidate and will start to email or message the target from that account.

Facebook Soc Eng Ed Labrum 500x300

It can take several weeks – or longer – to get to a position where the criminal can mount the attack.   When they finally launch, it can be to ask for a fake invoice to be paid, for money to be moved to a seemingly legitimate account, or for certain private data to be shared. The email may have a link to a fake website which captures passwords or personal information, or may ask the recipient to open a document to confirm some details.  

All of these are convincing methods of accessing targeted information. And don’t think that the criminals will stop if their emails get filtered out by IT Systems – we know of cases where they’ve just called the target employee instead, asking for details to be shared over the phone – and it works.  This is sophisticated and convincing social engineering.

Can you prevent a spear phishing attack?

Improving cyber behaviours is the obvious way to protect your people and your organisation against spear phishing. This is important, because the attack is so deliberately targeted at people. Why’s that? Because cyber criminals know that people are vulnerable and more likely to be conned by a slick psychological attack.

So your best defence against this type of cyber crime is to educate and train your people to embed better cyber behaviours that make them alert to the dangers, and helps them to understand how to check the authenticity of unexpected emails and requests – even from people they think they know.

In a number of our Psybersafe episodes we delve into real examples of social engineering and how even, sensible, careful people can get tricked.

Find out more about how our online training episodes can help beat this problem in your organisation – just contact us today.

Sign up  to get our monthly newsletter, packed with hints and tips on how to stay cyber safe. 

Mark 200x200Mark Brown, is a behavioural science expert with significant experience in inspiring organisational and culture change that lasts.  If you’d like to chat about using Psybersafe in your business to help to stay cyber secure, contact Mark today.