Having covered the rise of spear phishing and how easily criminals can collect information to create targeted attacks, we can now examine the different indicators that can be used to spot a spear-phishing email, and the approaches that attackers can use. Since 2018, spear-phishing attacks have not only increased by 65% but are also getting more sophisticated; with 97% of people unable to identify one.[1] But How to spot a phishing email remains a source of confusion for many.

This can be one of the most effective ways of gaining sensitive information over the internet, but is largely contingent upon user interaction[2]. It is crucial therefore that organisations and employees are trained to spot a spear-phishing email to ensure your sensitive information is kept secure.

Four Indicators to spot a Spear-Phishing email

The Email Subject

Today users receive an increasing amount of sophisticated phishing emails, however researchers have noticed that certain subject lines are used more widely by attackers. Nearly 60% of the emails reviewed by researchers included the same list of only 50 subject variations.[3] These subject lines aim to arouse in users urgency, curiosity or a sense of familiarity. The Barracuda Networks Spear Phishing report shows the top 5 most-used subject terms are “Request”(36%), “Follow up”(14%), “Urgent/Important”(12%), “Are you available?” (10%) and “Payment Status” (5%). [4] All of which, are familiar to users, whilst also impressing a sense of duty to comply with requests.

Some messages are intended to appear as if from a previous conversation by including “Re:” or “Fwd:”.[5] Subject lines can also differ from one country to another; for example, CEO fraud emails targeting the U.S and the UK are mostly labelled “Important”, while countries like Spain, France and Germany use a different business vernacular, more common to the respective languages. 

The Email Sender and Address

The next indicator to check is the sender of the email and their email address. According to Great Horn’s survey, impersonation is the most frequent threat, accounting for 45% of spear-phishing emails. Business Email Compromise (BEC) is a technique that includes using the name of a high-level executive.

According to the FBI’s latest Internet Crime report, BEC cost $1.3 billion in lost revenue in 2018 alone.[6]  Between 2018 and 2019, the daily average of BEC has seen a 50% increase. The US (39%) and the UK (26%) are the most targeted regions by BEC attackers.

One of the most common spear-phishing tactics is to exploit an organisation’s domain to impersonate it. This usually involves setting up false domain names which, at a glance, look legitimate, or by creating websites which credibly replicate that of the organisation. Since January 2019, the number of new domains created have increased by 64%[7], an unknown number of which are designed to deceive users. Even though each domain name requires uniqueness, there are many methods to create addresses that look alike. 

In order to demonstrate how challenging it could be to identify a spoofed domain, Gimlet Media producer Phia Bennin decided to conduct an experiment. In this experiment, Bennin enlisted the help of an ethical hacker to phish employees. 

First adopting the domain ‘gimletrnedia.com’; spelled r-n-e-d-i-a instead of m-e-d-i-a and then sending the email by posing as Bennin, the phishing email successfully fooled many employees; demonstrating the relative ease with which this method can be employed to exploit users. [8]

Links and Attachments

More than half of phishing emails contains links to malware[9]. These are typically in the form of executable (.exe) files which can be hidden after other recognisable file types such as PDF, Word or Excel documents. Archives, such as .zip files, remain the most used by attackers representing nearly a third of the attachments. [10] The only file type that stays secure and cannot hide .exe files is a .txt file. By hovering your mouse over the ‘from’ address, you can see the validity of the address and whether the domain of the URL points to a malicious email – usually including modifications such as additional numbers or letters.

A new phishing attack has been spotted by Mimecast’s security researchers using a SHTML file attachment, a file type commonly used by web servers[11]. The attack used a so-called ‘bill’ to trick the user into clicking on the link, which redirected them to a malicious website asking for confidential information. This phishing campaign was mainly targeted the finance and accounting sectors and the higher education sector. According to Mimecast’s June 2019 report, an employee received on average a malicious URL for every 69 emails sent. These new phishing attempts can even go as far as using images instead of text to avoid detection from security software. 

The Message Content

A phishing email can be easily generated by utilising the vast amount of publicly available information, much of which is accessible online. Target-oriented attackers use this information to create sophisticated emails, making them difficult to identify. Certain attackers will play the ‘long-game’ strategy which consists of building up a relationship with the victim, to methodically acquire sensitive information.[12]

Considering the previous conversation and the key information obtained, this approach allows the attacker to send a malicious link or attachment without looking suspicious. Spotting these indicators can save your organisation from the impact of a cyber-attack: the loss of finances, sensitive information and personal data, as well as damage to reputation and interruption of services.

In the last part of this blog series, we will see how important it is to detect an attack and take the necessary steps to protect your company. What to do if You’ve Been Phished?


[1] https://www.comtact.co.uk/blog/phishing-statistics-2019-the-shocking-truth

[2] https://digitalguardian.com/blog/what-is-spear-phishing-defining-and-differentiating-spear-phishing-and-phishing

[3] https://www.advisory.com/daily-briefing/2019/03/21/phishing-emails

[4] https://www.scmagazine.com/home/security-news/top-12-phishing-email-subject-lines/

[5] https://www.bbc.co.uk/news/technology-49857948

[6] https://www.symantec.com/blogs/threat-intelligence/bec-scams-trends-and-themes-2019

[7] https://www.cisco.com/c/dam/en/us/products/collateral/security/email-security/email-threat-report.pdf

[8] https://www.itgovernance.co.uk/blog/5-ways-to-detect-a-phishing-email

[9] https://www.thesslstore.com/blog/20-phishing-statistics-to-keep-you-from-getting-hooked-in-2019/

[10] https://www.cisco.com/c/dam/en/us/products/collateral/security/email-security/email-threat-report.pdf

[11] https://www.mimecast.com/blog/2019/07/shtml-phishing-attack/

[12] https://www.sciencedirect.com/topics/computer-science/spear-phishing-attack