Spear Phishing Indicators

Having covered the rise of spear phishing and how easily criminals can collect information to create targeted attacks, we can now examine the different indicators that can be used to spot a spear-phishing email, and the approaches that attackers can use. Since 2018, spear-phishing attacks have not only increased by 65% but are also getting more sophisticated; with 97% of people unable to identify one. But How to spot a phishing email remains a source of confusion for many.

This can be one of the most effective ways of gaining sensitive information over the internet, but is largely contingent upon user interaction. It is crucial therefore that organisations and employees are trained to spot a spear-phishing email to ensure your sensitive information is kept secure.

Four Indicators to spot a Spear-Phishing email

The Email Subject

Today users receive an increasing amount of sophisticated phishing emails, however researchers have noticed that certain subject lines are used more widely by attackers. Nearly 60% of the emails reviewed by researchers included the same list of only 50 subject variations. These subject lines aim to arouse in users urgency, curiosity or a sense of familiarity. The Barracuda Networks Spear Phishing <a href="https://www.barracuda.com/spear-phishing-report" target="_blank>report shows the top 5 most-used subject terms are “Request”(36%), “Follow up”(14%), “Urgent/Important”(12%), “Are you available?” (10%) and “Payment Status” (5%). <a href="https://www.scmagazine.com/home/security-news/top-12-phishing-email-subject-lines/" target="_blank>All of which, are familiar to users , whilst also impressing a sense of duty to comply with requests.

Some messages are intended to appear as if from a previous conversation by including “Re:” or “Fwd:”. Subject lines can also differ from one country to another; for example, CEO fraud emails targeting the U.S and the UK are mostly labelled “Important”, while countries like Spain, France and Germany use a different business vernacular, more common to the respective languages.

The Email Sender and Address

The next indicator to check is the sender of the email and their email address. According to Great Horn’s survey, impersonation is the most frequent threat, accounting for 45% of spear-phishing emails. Business Email Compromise (BEC) is a technique that includes using the name of a high-level executive.

According to the FBI’s latest Internet Crime report, BEC cost $1.3 billion in lost revenue in 2018 alone. Between 2018 and 2019, the daily average of BEC has seen a 50% increase. The US (39%) and the UK (26%) are the most targeted regions by BEC attackers.

One of the most common spear-phishing tactics is to exploit an organisation’s domain to impersonate it. This usually involves setting up false domain names which, at a glance, look legitimate, or by creating websites which credibly replicate that of the organisation. Since January 2019 according to Cisco researchers, the number of new domains created have increased by 64%, an unknown number of which are designed to deceive users. Even though each domain name requires uniqueness, there are many methods to create addresses that look like.

In order to demonstrate how challenging it could be to identify a spoofed domain, Gimlet Media producer Phia Bennin decided to conduct an experiment. In this experiment, Bennin enlisted the help of an ethical hacker to phish employees.

First adopting the domain ‘gimletrnedia.com’; spelled r-n-e-d-i-a instead of m-e-d-i-a and then sending the email by posing as Bennin, the phishing email successfully fooled many employees; demonstrating the relative ease with which this method can be employed to exploit users.

Links and Attachments

More than half of phishing emails contains links to malware. These are typically in the form of executable (.exe) files which can be hidden after other recognisable file types such as PDF, Word or Excel documents. Archives, such as .zip files, remain the most used by attackers representing nearly a third of the attachments (CISCO researchers - Email Security Threat Report). The only file type that stays secure and cannot hide .exe files is a .txt file. By hovering your mouse over the ‘from’ address, you can see the validity of the address and whether the domain of the URL points to a malicious email – usually including modifications such as additional numbers or letters.

A new phishing attack has been spotted by Mimecast’s security researchers using a SHTML file attachment, a file type commonly used by web servers. The attack used a so-called ‘bill’ to trick the user into clicking on the link, which redirected them to a malicious website asking for confidential information. This phishing campaign was mainly targeted the finance and accounting sectors and the higher education sector. According to Mimecast’s June 2019 report, an employee received on average a malicious URL for every 69 emails sent. These new phishing attempts can even go as far as using images instead of text to avoid detection from security software.

The Message Content

A phishing email can be easily generated by utilising the vast amount of publicly available information, much of which is accessible online. Target-oriented attackers use this information to create sophisticated emails, making them difficult to identify. Certain attackers will play the ‘long-game’ strategy which consists of building up a relationship with the victim, to methodically acquire sensitive information.

Considering the previous conversation and the key information obtained, this approach allows the attacker to send a malicious link or attachment without looking suspicious. Spotting these indicators can save your organisation from the impact of a cyber-attack: the loss of finances, sensitive information and personal data, as well as damage to reputation and interruption of services.

In the last part of this blog series, we will see how important it is to detect an attack and take the necessary steps to protect your company.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


The Surveillance Economy and Human Rights

Human Rights and the Growing Surveillance Economy

Human Rights and the Growing Surveillance Economy: Surveillance capitalism can mean your information being sold to the highest bidder. Blog by Hut Six

HP Firmware Self Destructs

Attention: HP's Self-Destructing Firmware

HP firmware issue: The technology manufacturer Hewlett Packard has announced a firmware issue that could affect thousands of enterprise users. SSDs sold by the company are at risk.

How a Spear Phishing Email is Created

Spear Phishing Series part 1: How a Spear-Phishing Email is Created

How is a spear-phishing email created? Cybersecurity blog from information security awareness training provider Hut Six Security.

Information Security vs Cyber Security

Information Security vs Cyber Security: What’s the Difference?

How is it that information security and cyber security differ, and why is it that people frequently use these terms interchangeably?

The Cost of a Security Breach

The Cost of Poor Information Security

Facebook ICO fine and the cost of poor information security. Blog from information security awareness training provider Hut Six Security.

Cyber Security Awareness Month

Cyber Security Awareness Month: Once a year, all year.

Cyber security Awareness month creates a problem in focus for companies. Blog from information security awareness training provider Hut Six Security.

Branching Scenarios - Hut Six Product Update

New from Hut Six: Scenario-based branching Tutorials

Cybersecurity training modules that give the user the ability to test their skills. Blog from information security awareness training provider Hut Six.

Social engineering threats to small organisations

Micro-businesses are underestimating social engineering

Are micro businesses underestimating social engineering? Blog from information security awareness training provider Hut Six Security.

GDPR Explained

General Data Protection Regulation

What does General Data Protection Regulation mean for my business? GDPR Blog from information security awareness training provider Hut Six Security.

UK Government Funding for Cyber Security

UK Government - a failure of attention and funding in Cybersecurity?

Blog covering the NHS ransomware attack on the NHS Lanarkshire trust. Blog from information security awareness training provider Hut Six Security.

Speak to us about your Cyber Awareness