Today we will explore spear phishing vs. phishing and how dangerous they can be. But first, let us begin with a story.
Tech Mogul Emily is on top of the world. Her company is releasing the most coveted smartphone on the planet soon. Sales are projected to be in the millions within the first month. She’s got loving fans. She also has envious business rivals who want to replicate her success.
One of her business rivals hires the infamous hacker ‘Malus’ to get a peek at her plans. Malus has one objective – accessing Emily’s phone specs and marketing plans. And since she’s no ordinary CEO, Malus must think out of the box to steal the heavily guarded confidential information. To get access to the information, Malus will rely on spear phishing. A slow yet deliberate campaign that aims to trap Emily into letting her guard down.
So what exactly does spear phishing entail and how is it different from regular phishing?
Phishing is a scam that involves tricking people into giving out personal, professional, and financial information. It is a widespread and generic form of cyberattack where the attacker casts a wide net, sending out mass emails or messages to a large number of people.
Phishing content often uses generic greetings (e.g. “Dear Customer”). It is designed to look like it comes from reputable sources, such as banks, online services, or government agencies, to trick recipients into providing sensitive information like login credentials, credit card details, or personal data. This information is then used to cause financial loss, even identity theft.
Phishing, however, doesn’t discriminate when it comes to victims. Spear phishing, on the other hand, does.
Spear phishing is the stuff spy thrillers and industrial espionage flicks are made of. This technique targets a specific person, group or business. It can be the IT security guy in charge of the server room, or a big-shot CEO who has company secrets on their laptop.
In this case, Emily is the high-profile target Malus is after.
Daniel Oliveira, a renowned cybersecurity expert says that deception is “as old as human beings, and phishing is deception in cyberspace.”
As human beings, we are used to making thousands of decisions every minute. Most of us decide to take a mental shortcut and make quick, split-second decisions. This is because most humans believe that other humans are more likely to tell the truth than lie - and thus, they become easy targets of phishing.
If someone is to receive an email from their bank requesting personal information to secure the said bank account, most would believe the email to be legitimate.
Here's a cautionary statistic:
Phishing relies on:
Broadly targeted attacks
Mass distribution of fraudulent messages
Commonly impersonating trusted entities
Oliveira outlines why phishing works. She illustrates this using Nobel-winning psychologist Daniel Kahneman’s two systems of thinking model.
Human beings rely on two thinking models for making decisions:
System 1: fast, intuitive and emotional decision-making.
System 2: Slow and deliberate decision-making.
We touched on System 1 earlier. Most common phishing scams are designed to account for impulsive actions.
For spear phishing attempts, cybercriminals assume that their targets are a tougher nut to crack. Those who rely on System 2 AKA critical thinking for their decision-making.
Here’s a story that illustrates how a spear phishing attempt can succeed based on System 2 decision-making model.
In 2016, the Hillary Clinton presidential campaign suffered a huge reputational loss. And it happened when her campaign chairman John Podesta’s team clicked on a phishing email.
With a simple click, his team inadvertently allowed a foreign country access to politically sensitive information.
As you can see, the attackers made the spear phishing email look like the genuine article. They impersonated Google and disguised shady links behind URL shorteners. They also create a sense of urgency that compels the target to take action.
Whoever tried to change Podesta’s password clicked on the shortened URL rather than the proper "https//myaccount.google.com/security" page. The result - his account was hacked.
This level of sophistication makes all the difference between phishing vs. spear phishing threats.
Things to watch out for in spear phishing:
Use of social engineering tactics. Cybercriminals do their research, relying on human psychology rather than technical loopholes to find the weakest link.
Targeted attacks. The attackers specifically select and research the victim.
Personalized content to deceive victims. To disguise the attack, a spear phishing attempt calls you by name, appearing legitimate to the indiscernible eye.
Employing a mix of social engineering and tech hacking skills, Malus manages to gain access to information about the phone Emily is launching in the coming months. He now knows the price, specifications of the phone being launched and the company’s marketing strategy. Becoming a target of industrial espionage through spear phishing ends up costing Emily, and her company, a lot in the next quarter.
Here are some of the consequences:
Financial loss - loss of sales as competitors release a better phone for the same price point.
Data breaches and theft - the company fires its IT security team after an initial investigation revealed that Emily used the same password over the past year.
Reputational damage to individuals and organizations - Emily’s competitors leak the news about hackers accessing sensitive company information.
Every setback provides an opportunity.
Companies like the one run by Emily can ensure that such breaches don’t succeed in the future. To improve your security readiness, organizations should invest in:
McKinsey notes that the number of spear phishing attacks increased nearly sevenfold following the start of the pandemic, highlighting the evolving sophistication and persistence of cyber criminals. According to IBM’s Cost of a Data Breach 2022 report, phishing was the second most common cause of data breaches during that year. The report also found that while phishing attacks had the highest average cost per breach at $4.91 million, the costs of spear phishing attacks can significantly exceed even that amount. In one high-profile attack, spear phishers stole more than $100 million from Facebook and Google by posing as legitimate vendors and tricking employees into paying fraudulent invoices.
Given these escalating threats, it is clear that vigilance and staying informed are essential components of an effective defense against spear phishing. By combining technical safeguards, employee education, and a strong cybersecurity culture, we can fortify our digital landscape and safeguard against the insidious dangers of phishing and spear phishing.
Feel like you're adequately familiar with this particular phishing tactic? Take our spear phishing quiz to find out.