3 Types of Spear Phishing Emails and How MSPs Can Prevent Them
August 11, 2022
As a Managed Service Provider (MSP), it’s your job to keep your clients out of harm’s way. Unfortunately, in today’s world, that’s often easier said than done. Spear phishing is a type of cyberattack that MSPs should keep top of mind.
In a typical spear phishing attempt, a person sends highly personalized emails that closely resemble a message their targets would typically receive. To combat spear phishing for your clients, it’s important to know which tactics some spear phishers most commonly employ. Let’s explore three types of spear phishing emails and learn how you can stop them in their tracks.
The gift card request
If you’ve ever received a message that seemingly came from your CEO asking for a $100 Amazon gift card, then you’re already very familiar with this type of spear phishing attempt. In this gift card request spear phishing, a hacker, typically posing as a higher-up at the company, will ask their employee to purchase gift cards on their behalf. They may tell the employee that they’re strapped for time or caught up in a meeting, and urgently need the gift cards.
They will use an email address that closely resembles the email address of the higher-up they’re impersonating. At a quick glance, the employee being targeted might not think twice about the legitimacy of the email. Data from Consumer Sentinel reveals that gift card requests are the most effective spear phishing technique used by phishers, with $148 million being stolen in 2021 alone.
So, what can you do to better protect clients against this largely effective spear phishing technique? For starters, it’s important to educate your clients on what these cyberattacks look like, and ensure they’re vigilant when it comes to identifying and reporting spear phishing attempts. For added security, consider implementing an AI-based spear phishing solution that analyzes both the content and context of emails to identify the signs of spear phishing that traditional solutions can miss.
The wire transfer request
In February 2022, a town employee in Tewksbury, MA, transferred $102,000 to an account as a result of a spear phishing attack. Suffice to say, spear phishing emails that work to get individuals to wire transfer funds can be extremely costly to both your clients and your organization.
Commonly referred to as business email compromise (BEC), these spear phishing emails will again pose as a leader within the company and ask an individual to wire funds to a particular account. You might think you’d never transfer a large sum of money to an account without doing your due diligence first, but put yourself in the shoes of an accountant at one of your client’s organizations.
You’re used to receiving a range of invoices from a multitude of businesses, so when an invoice email comes in from a seemingly familiar figure that you’ve worked with for years, you might not hesitate to pay what looks like the usual invoice. All it takes is one employee overlooking a subtle difference in the spear phishing email address to open the door for a costly cyberattack.
FBI statistics show that wire transfer fraud via BEC costs businesses over $26 billion per year. Protecting your clients against these types of spear phishing attacks starts with educating them on what the typical wire transfer scam looks like. Let them know that these types of cyberattacks will often claim it’s an urgent matter and contain grammatical mistakes.
The initial contact
While typical phishing attacks focus on getting individuals to click on links or download attachments, initial contact spear phishing attacks don’t require much action on the receiver’s end to open the door for damage. This type of spear phishing email will usually ask a brief but somewhat urgent question to the individual. It could be something like, “Are you in the office today?” or, “Do you have time to talk this week?”. Ultimately, the goal of these emails is to get a response from the receiver, after which the hacker’s email address is whitelisted, and the hacker avoids being flagged as spam.
The individual sending the initial contact email may attempt to connect with multiple people within an organization in order to find the perfect person who will eventually be able to initiate a wire transfer or download a virus.
This type of spear phishing email can often fly under the radar since there is nothing overtly nefarious about the initial contact message. While phishing simulations are helpful in training end users to identify and report phishing emails, training them with real samples of attacks ensures that they see real-world examples. This is critical in ensuring that users are familiar with the full spectrum of possibilities with spear phishing. Finally, when evaluating email security solutions, determine whether sender emails are automatically whitelisted
What can Vade do for you?
As an MSP, you can put your clients through the most rigorous spear phishing awareness training and provide ongoing support and education as needed. But all it takes is for one individual to momentarily let their guard down for a spear phishing attack to be successful. Effectively combatting cyberattacks starts with investing in robust, easy-to-implement solutions that strike the ideal balance between integrability and value.
Vade for M365 identifies spear phishing with AI algorithms that analyze both the content and context of emails. The solution pulls an organization’s entity model through the Microsoft API to establish legitimate users. Natural Language Processing algorithms analyze email content to identify malicious textual content, such as urgency and flag words. If the email meets a certain threshold, Vade triggers a banner in the email, warning the user about potential spear phishing.
Request a demo today to learn how our patented spear phishing prevention technology can help minimize targeted attacks on your business and keep your people —and data—safe and sound.