Spear phishing scams targeted at businesses have proven to be very lucrative for cybercriminals. For example, since January 2015, hackers have stolen over $3 billion (USD) from more than 22,000 companies worldwide using a type of spear phishing attack known as a Business Email Compromise (BEC) scam, according to the U.S. Federal Bureau of Investigation (FBI). BEC scams specifically target companies that regularly send wire transfer payments or work with foreign suppliers.
The main reason why BEC and other types of spear phishing scams are so effective is that they are personalized. Cybercriminals spend a considerable amount of time tailoring each email in the hope that its legitimacy will not be questioned.
How Cybercriminals Create Spear Phishing Emails
Hackers use a variety of techniques to get the information they need to personalize spear phishing emails. Sometimes, they will send out a generic phishing email to all employees at the targeted company. The email might request details about the business or a certain individual who works there. Alternatively, the email may install malware designed to obtain records that the hackers need to carry out the scam.
Cybercriminals can also use social engineering techniques to customize spear phishing emails. For instance, they might scour the targeted company’s website, check social media networks, and search the Internet to get information about the business and people they will be sending the email to. Hackers sometimes even call the company to get a job title or email address.
What You Will and Will Not Find in Spear Phishing Emails
Because spear phishing emails are personalized, they can be hard to spot. Knowing what elements to look for can help you and your employees identify them. However, since cybercriminals conduct research and customize their spear phishing emails, many of the tell-tale signs of phishing emails do not apply:
- No generic greeting: Spear phishing emails include the recipient’s name instead of a generic greeting or no greeting at all.
- No awkward wording: Grammatical errors and misspellings are the exception rather than the norm in spear phishing messages.
- No generic message: Spear phishing emails discuss business matters relevant to the recipient instead of containing a generic message.
- No sense of great urgency: Spear phishing emails take on a softer, more professional tone rather than trying to scare or entice the recipient into acting quickly.
Despite the lack of these tell-tale signs, there are some elements that might indicate an email is a spear phishing scam:
- Spoofed name in the "From" field: To trick the recipient into thinking the message came from a trusted contact, hackers often spoof the name that appears in the "From" field so that it shows the contact’s name. When cybersecurity researchers at GreatHorn analyzed more than 537,000 spear phishing emails sent by hackers in 2016, they found that 91 percent of them had spoofed names in the "From" field.
- A deceptive URL: A deceptive URL is one in which the actual URL does not match the displayed linked text or web address. For example, the displayed text might specify a legitimate supplier’s name or its web address, but the actual URL may lead to a website in Russia. Deceptive links often lead to fake websites designed to steal sensitive information or install malware.
- An attachment: Hackers like to attach files that contain malicious code. Opening these attachments can lead to a malware infection. For instance, in 2016, hackers used a spear phishing email with an attachment to infect companies with ransomware.
- A call for action: Spear phishing emails try to get the recipient to perform an action. For example, a hacker might pose as a business executive and send an email requesting a wire transfer. In this classic BEC scam, the email is usually sent to the employee responsible for processing this type of request. Alternatively, a hacker might try to trick the recipient into opening a malware-laden attachment or clicking a deceptive URL.
How to Protect Your Business from Spear Phishing Attacks
To protect your business from spear phishing attacks, consider using a two-pronged strategy. First, you should try to prevent spear phishing emails from reaching your employees by keeping your company’s email filtering and anti-malware tools up-to-date. You might even explore an email security solution designed to catch spear phishing and other types of malicious emails. In addition, you should make sure that potentially sensitive information (e.g., employee email addresses) is not publicly available.
Second, you need to educate employees about the personalized nature of spear phishing. Besides letting them know the elements they will and will not find in spear phishing emails, it is important to inform them about the risks associated with clicking email links and opening email attachments. Plus, you should show them how to check for deceptive URLs and spoofed names in the "From" field.
The individual steps required to implement this two-pronged strategy will vary depending on your company’s needs. We can help you decide the best course of action as well as provide more recommendations on how to protect your business from spear phishing and other email-based attacks.