How a Spear Phishing Email is Created

Spear-phishing is a much misunderstood topic in the business community. This is the first in a three-part series designed to help you understand how you can reduce your risk of being ‘caught’. These three blogs will explore the before, during and after processes of a spear-phishing attack. But how is a spear-phishing email created?

Data from ‘Verizon’s 2018 Data Breach Investigation’ report shows that 93% of cybersecurity mishaps result from successful spear-phishing attacks, with the average cost of a successful spear-phishing attack being a shocking $1.6 million As regular phishing attacks are sent randomly to a large audience without any targeted efforts, it’s with no surprise that spear-phishing emails are far more successful. Spear-phishing emails have an open rate of 70%, and 50% of those opening them also click on the attachment or link, which amounts to 10 times more clicks than for generic phishing.

Spear-Phishing on the Rise

Spear-phishing is a highly personalised form of attack that provides a believable context for the victim to engage with. The attacker usually impersonates a colleague, website or organisation to obtain confidential information rather than login credentials or financial information. There are two main types of spear-phishing emails: Brand impersonation and Business Email Compromise (BEC). Brand impersonation is by far the most popular, accounting for 83% of attacks. These emails are designed to impersonate well-known companies in order to steal credentials and carry-out account takeover.  BEC attacks, also known as ‘CEO fraud’, are not as widespread, although the daily frequency of these attacks has seen an increase of 50% between 2018 and 2019. 

The success of spear-phishing attacks results in the combination of highly customised tactics such as victim segmentation, email personalisation and sender impersonation to evade security defences. IT and security professionals have noticed a 25% rise in the number of spear phishing attacks that bypass traditional email security.

In recent years, spear-phishing has become more prevalent and has proven very effective for criminals. As a form of cyberattack that aims to gain undetected long-term access to an organisation’s data, credentials and assets, the strength of this attack escalates over time - usually taking over an entire network in an hour, and causing more far-reaching damage than a generic attack. As frequency increases and content gets more and more sophisticated, it is essential to protect your organisation from these costly attacks.

How Attackers Collect Information for Spear-Phishing

The internet has made it easier for cyber criminals to collect information about their target without requiring any specific skills. Through online research, attackers surveil their target so that their attack is perfectly timed and blends in with other emails.

Public Information

A phishing email can easily be constructed with publicly available information released by organisations online. The type of information shared is usually financial, and becomes available through reports, websites or software. Information, including demographics (size, turnover etc.), the structure (diagram, departments etc) and their relationships (subsidiaries, third-party partners etc) can also found on corporate websites and public relations documents.

Third-Party Sites

Social engineers can also scrutinise third-party relationships with hopes of gaining insight into an organisation’s interests. Some charity websites may publish information about executives’ membership or sources of funding. It can be necessary to ask them to minimise the businesses’ or executives’ exposure on their website.

Government Records

Public records maintained by the government offer a large volume of identifiable information. These are usually available in a fragmented way, containing valuable information about corporate and business records. Combined, they constitute a valuable profile for attackers, particularly with regards to finding properties or political commitments.

People-Search Sites

People-search engines constitute another free available source of information that are built with a hyper-focus to find people-related information such as arrest records, online profiles, registered domains, online interests, or even blog posts. When all of this information is compiled, it can provide useful insights for attackers. In order to prevent it from happening, most sites have an opt-out mechanism. It is important to monitor this monthly as the person can be re-added.

Social Media Accounts

Social networks are also a valuable source of information for attackers to target executives – with users who often disregard privacy rules and share more than they should. This type of private information enables the attacker to create extremely accurate and compelling emails. Collecting information for spear-phishing is relatively easy for social engineers, so it's essential for organisations to minimise the amount of information available online.

A few important questions remain: what do these well-crafted emails look like and how can we identify them? The answers to this are in our next phishing blog: How to Spot a Spear-Phishing Email.