Phishing and spear phishing are major cyber threats. Yet how many people can really identify these sorts of attacks, much less understand the nuanced differences between them? The danger of phishing and spear phishing to organizations makes increased awareness essential. With 90% of breaches starting with a phishing attack, familiarity with this topic would certainly help protect sensitive digital assets. For example, a 2017 study by Intermedia revealed that an astonishing 25% of IT professionals admitted to falling for a phishing attack. The same report highlighted that 21% of office workers and 34% of business owners and high-level executives had made the same mistakes.
To better prepare you against phishing risks, we thought it would be worthwhile to explain the difference between phishing and spear phishing. The two threats are similar, but different enough to represent two distinct modes of attack. Employers and employees alike would do well to understand how to differentiate between them—as we like to say, hyper-awareness is the key to cyber vigilance.
What is Phishing?
Let’s start with that funky spelling. “Phishing” gets its name from “fishing.” The term was coined by admirers of the “phone phreaks,” the notorious first generation of hackers who reigned during the 1960s and 70s. The phone phreaks inaugurated a long tradition of cyber warfare using a hilariously simple technique. They would use a Cap’n Crunch bosun whistle to signal tones into phones to trick the phone company computer into giving them a free call! This might sound ridiculous to us today, but it was a hacking innovation at the time that exploited a vulnerability in call-routing switches that relied on in-band signaling.
Phishing involves a hacking technique that is the digital equivalent to “casting a net.” Like real-life fishermen, phishers cast their net without knowing exactly what they will “catch.” Specifically, phishing means sending emails that are designed to lure an user into clicking on a URL. This URL may direct someone to a malware download site or to a web form that looks legitimate (e.g. a bank or an Office 365 login page), but that is really a front for harvesting personal information. Common phishing emails might say something along the lines of, “Your bank account information is out of date. Please update at the following link…”
In some cases, the fake web forms are nearly impossible to distinguish from their real-life counterparts. The URLs themselves, however, can offer a clue to what lurks beneath the surface. For instance, a (hypothetical, fictional) phishing attack purporting to be from Bank of America might direct you to a site called www.bankofamericaincu.co, which you could be forgiven for mistaking legitimate. (The bank’s actual site is www.bofa.com). Once there, you might share your login credentials, social security number, or other personal information with the criminals who set it up.
Phishing is also commonly employed to steal login credentials to private networks or cloud applications, such as Office 365, Dropbox, and DocuSign. This can occur when you download key logging malware that records your user name and password; or you may be prompted to fill in your credentials on a fake page, similar to the Bank of America example above. Generic phishing, though, is not as well suited to stealing credentials as is the more personalized form of the attack, known as spear phishing.
What is Spear Phishing?
Phishing in its generic form is a mass distribution exercise and involves the casting of a wider net. Phishing campaigns don’t target victims individually; rather they are sent out to thousands (or even millions) of recipients. Spear phishing, in contrast, is highly targeted. Like fishing with a spear, versus a net, spear phishing targets a single individual. Hackers do this by pretending to know you. It’s personal. Typically, phishers go after someone whom they perceive as “weak,” perhaps someone who is neither technical nor hyperaware of these types of threats. Often, these are individuals such as accountants, lawyers, marketers and so forth.
A spear phishing attacker is after something in particular, like your network login credentials. Another common scheme is for the phisher to pose as a senior employee with the power to request bank transfers (to fraudulent companies). To connect with you in a convincing way, the attacker may engage in social engineering to impersonate people you know, such as colleagues or business acquaintances. The attacker can accomplish this by researching you on the Internet and social media or getting information about you from data breaches using peer-to-peer (P2P) protocols like BitTorrent.
Consider the following spear phishing scenario: Your name is Bob and you work for Joe Smith, your company’s CEO. A spear phisher sees you on LinkedIn and notices that you’re friends with Joe. He follows you on Facebook and learns about your favorite sports teams and reads about a project you’re working on at the office.
The attacker then creates an email account under the name firstname.lastname@example.org. While real Joe is on vacation—information that the phisher has gleaned from Facebook—fake Joe sends you an email that says, “Ugh, Bob… I am on vacation, but I need a wire transfer of $100,000 to a contractor in China for our project. Please take care of it right away. Here are the bank wiring instructions.”
If you’re not paying very close attention, you might complete the fund transfer. This happens more often than you might suspect. Even people who have been trained specifically not to do this tend to get nervous when the “CEO” is pressuring them to do something. After all, it’s Joe, not some stranger… or so you think. Before you know it, you’ve been stabbed by the spear.
Why Do Phishing and Spear Phishing Awareness Matter?
Spear phishing attacks are at the heart of many of the most serious data breaches. There are several reasons for this. For one thing, they target people who purportedly know better than to fall for them. To be fair, though, some of the attacks are extremely sophisticated and can be incredibly difficult to detect.
Normally, email filters can be tuned to stop large-scale phishing attacks. If every single employee gets the same “Dear Sir or Madam” email at the same time, a good email filter will know right away that it’s a scam. Similarly, if an email contains a suspicious URL or an attachment with a known signature, it will never make it to you. However, if you get a personalized email from Bob that contains no URL or attachment, it will invariably slide right through most filters.
Let’s say a phisher steals Joe’s log in credentials and can log directly onto the company’s network as “Joe”. This will almost certainly not trigger any alarms. Joe logs in remotely all the time. Why should the intrusion detection system care? Only with extremely sophisticated Artificial Intelligence will a network security solution “know” that Joe is logging in from the wrong location or at an odd hour of the day—and flag the entry. Most of the time, fake Joe will have no problem getting inside the network undetected. After that, “Joe” might copy and remove files, as he often does in the course of “his” job. It could be months, or never, before anyone notices.
Thus, phishing, and especially spear phishing comprises a dangerous but highly effective attack vector. Defense is possible, however. End user awareness and training, for example, can make a difference in an organization’s level of vulnerability to phishing. In addition, solutions like Vade Secure leverage heuristics, artificial intelligence, and other analytical techniques to identify malicious emails, URLs and attachments, as well as attempts to spoof the identity of colleagues and business acquaintances.