Spear Phishing – Not the Good Kine

By Lindsey Freitas, ICS 171 student

I’ve never gone diving or spear fishing; I’m significantly better at eating or cooking seafood. Spear phishing on the other hand, requires preparation to deny a threat the opportunities to be successful in their attempts to access servers, databases and more.

Phishing, according to CompTIA, is ‘a type of cyber attack that uses email, phone or text to entice individuals into providing personal or sensitive information, ranging from passwords, …to details about a person or organization.’ As shown in the example here, even simple phishing scams can appear to be affiliated with real, trusted entities.

Over at Cisco’s webpage on email security, spear phishing ‘targets specific individuals instead of a wide group of people.’ What makes a spear phishing attack particularly dangerous is that attackers will often research the victim to make the attack seem more legitimate. In other words, spear phishing is tailored more specifically to the victim – a personalized scam, so to speak. This may be the first move by an attacker to gain unauthorized access or data.

Even the best security software and policies are only as good as the users who adhere to them – or don’t. The fact of the matter is that no matter what can be done, there will never be a system that is completely and totally secure. Phishing, and spear phishing attacks in particular, rely on the human element as the weak link in any security system. The illegitimate attempt to gain confidential, privileged, or administrative data is the key point in a spear phishing attack.

According to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing. A high profile, very recent example: the Twitter hack in July earlier this year, reported to be the result of a successful spear phishing attack, allowed attackers to tweet a bitcoin scam from verified accounts belonging to Bill Gates, President Barack Obama, and several others. News reports indicated that attackers successfully gained access to powerful tools used by only a few Twitter employees, tools that would allow access to, and control over accounts – including access to personal messages.

But wait! When even government entities and tech companies, with their budgets and specialized knowledge are susceptible to spear phishing attacks, how can we protect ourselves from such a sophisticated threat? It’s as vital now as ever to be aware of threats such as spear phishing, and how to prevent from these and other threats. Like most threats, the best ways to mitigate spear phishing attacks is being mindful and aware of best practices in regards to cyber security.

One of the most important things in protecting against this type of threat is being able to recognize the illegitimate attempt to gain access or gather information. Not supplying personal or confidential information over email or text is a common recommendation, as is ensuring that antivirus and other malware protection is updated regularly. It’s also good practice to not open attachments from unknown sources, and to check the emails from known contacts carefully.  Attackers may attempt to mimic legitimate emails in an effort to gather confidential information.

Figure 1 – Legitimate SharePoint Invitation

Figure 1 is an example of a legitimate SharePoint invitation from my IT department at work. Compared to the previous example, it can be difficult to distinguish a legitimate request from malicious attack. When in doubt, it’s a good idea to contact the organization directly – a phone call might seem inconvenient and old fashioned, but the time it saves will pale in comparison to the potential damage wrought by a successful spear phishing attack.