As an IT consultant, you've seen your fair share of phishing emails. You probably also taught your clients how to avoid the obvious scams. The problem is hackers got better. Now many are abandoning mass phishing emails in favor of more targeted spear phishing.
A spear phishing email requires more work and sophistication on the part of hackers. They need to be able to convincingly impersonate someone the email recipient either knows or trusts. According to Forbes, John Podesta, the former chairman of the 2016 Hillary Clinton presidential campaign, was successfully spear phished last year by a Russian hacking group. A few months later, his emails ended up on WikiLeaks.
Spear phishers don't just go after the powerful and famous, though. A small business's finance manager could just as likely be a target. The FBI recently announced that just one particular scam – spear phishing emails requesting wire transfers – has cost business owners more than $3 billion. The FBI announcement also noted that there has been a 1,300 percent increase in identified exposed losses since January 2015. This means spear phishing is continuing to grow at a rapid rate.
Let's look at why spear phishing attacks are so effective and how you can help protect your clients against them.
Spear Phishing vs. Phishing
Phishers may send one email to thousands of email addresses, hoping to catch at least a few people off guard. Targets are typically random, and the phishing emails are often fairly easy to spot because of typos or other careless errors. By contrast, spear phishing is far more insidious because the attacks are personalized and the emails are well written.
"When they [hackers] are spear phishing, typically, the grammatical mistakes and the stiff language won't be there because if they're going to the trouble to do spear phishing, they are going to take more time crafting the email," says
Tom Evans, a
retired IT professional who provides security awareness training for
Ashton Technology Solutions
Phishers are also excellent actors. Let's put it this way – if the dark web had an awards ceremony, spear phishers would clean up in the acting categories. That's because they are very skilled at impersonating someone their victim is naturally inclined to trust. It could be PayPal, your boss, or someone claiming to be a former college classmate.
People Are Busy, Which Spear Phishers Capitalize On
How many emails do you get in a day? 50? 100? More? Spear phishers know people are checking and responding to emails rapidly. They count on the fact that victims are distracted, in a rush, and will often act without taking the time to verify the authenticity of:
- A sender's email address.
- The URL they are being directed to.
- The attachment they are being asked to open.
"Because [spear phishing] has something in it that is more specific, it takes that little bit more effort on the recipient's part to decide whether it's phishing or not phishing," says Evans. "People are busy. If it looks like it's related to something that they should be involved with, they're going to be more inclined to open the email."
Another effective spear phishing email technique is creating a false sense of urgency. Phishers know if the victim has enough time to scrutinize an email, they might realize something is "off" with what they are being asked to do. For this reason, phishers like to impersonate a high-ranking individual within a company's organization.
"Spear phishing directly preys on the complacency of one person's trust with a known person or entity, and it can prey on fear, too," says
cofounding partner of cybersecurity firm
(@pondurance). "For instance, if you get a direct request from someone who appears to be an executive within your organization, and even if that request is rather unorthodox, such as transferring or wiring money, one might be more apt to immediately fulfill the request to avoid confrontation."
Spear Phishing Is Easier Than Ever
One primary reason that spear phishing can be so effective is the rise of social media. A simple Internet search can disclose a wealth of information about a potential victim's life, such as where they work, went to school, who they know, and what their hobbies are.
"With all of the information that is available online now, it's very easy for somebody to get the background information that might have taken some work several years ago, but now it's out there and available," says Evans.
Once phishers have done their homework on you, they move into attack mode.
"Spear phishing is particularly effective because it is personalized," says
(@symmetrixtech). "Just like in social engineering situations, having a small number of personal details to casually drop in communication lulls the target into a sense of ease and an assumption that the attacker is trusted."
Gullett says one of his clients was successfully spear phished.
"It involved a vacation the client was planning out of the country," says Gullett. "The South American travel agent's systems were compromised, allowing the attacker to gain information about the travel itinerary. They then performed an attack via email and convinced the client to send thousands of dollars via wire transfer."
Phishing Training Is an Effective Way to Protect Your Customers
Spear phishers are going to continue to target your customers. When they succeed, it may result in a lot of calls to your IT business for help. Depending on how serious the damage is and if they think you should have somehow prevented it, a client may even sue you. (Related reading: "How to Help Your Clients (and Protect Yourself) after a Cyberattack.")
That's why phishing training can protect both your clients and your IT business. Sometimes it may take a little nudging on your part to get a client to see the value in paying for phishing training.
"There's a problem because it looks like you are trying to sell services and, yeah, you are," says Evans. "But if you learn how to look at an email and understand what's wrong with it, you avoid having to go through the trauma of ransomware or a full-fledged spam attack or having your network used as a launching point for a spam attack. It's preventive, like going to the doctor for a checkup and catching the medical problem before it gets worse."
For more on the importance of training your clients how to avoid getting phished, read "Why Protecting Your Clients against a Phishing Attack Is Good for Your Bottom Line."
About the Contributors
currently provides contract security awareness training for Ashton Technology Solutions
about security issues. He is mostly retired after working in the IT industry for approximately 35 years. He enjoys spending time bird watching with his wife and hopes to get back into scuba diving this summer.
has been in the IT industry since 1993 and has run Symmetrix Technologies
, an IT consulting firm in the Dallas area, since 2003. Symmetrix Technologies focuses on taking care of the IT needs of small / medium businesses, about 30 percent of which are small legal firms. Gullett holds the CISSP information security certification and is very familiar with loss prevention and disaster recovery.
is a recognized security leader known for developing pragmatic and precision-based security and risk management solutions for organizations on a global scale. He is a partner with Pondurance
, a leading information security services provider based in Indianapolis, and is certified in multiple disciplines relating to information and asset protection.