In my blog on the PCI DSS, I mentioned how some of our clients undergo scams to check their PCI compliance. Spear phishingis a targeted phishing attack that uses very focused and customized content that's specifically tailored to the targeted recipients (typically, after reconnaissance on the recipients by the attacker). When attackers go after a “big fish” like a CEO, it’s called whaling. Phishing is a generic term for email attacks that try to steal sensitive information in messages that appear to be from legitimate or trusted senders. The emails asked recipients to reset their passwords and provided a link to do so. And it’s possible a scammer might do this with a URL as well. Whaling is not very different from spear phishing, but the targeted group becomes more specific and confined in this type of phishing attack. Most phishing attacks are sent by email. Phishing comes in many forms, from spear phishing, whaling and business-email compromise to clone phishing, vishing and snowshoeing. In the same way, you might consider putting your employees’ to the test when it comes to spear phishing. Spear phishing attacks could also target you on multiple messaging platforms. Unsurprisingly, tons of data can be found on social media platforms such as LinkedIn. Scammers typically go after either an individual or business. Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place. Phishers may perform research on the user to make the attack more effective. Opening a file like the one embedded into the email will launch ‘PowerDuke’ into action. Spear phishing uses the same methods as the above scams, but it targets a specific individual. This month, our client was one of their victims. Phishing attack examples. Tell employees to visit a site directly. And it’s one reason we offer employee training on cybersecurity. Hackers employ bots to harvest publicly available information. In the beginning of September 2020, Proofpoint revealed that it had detected two spear-phishing attack campaigns involving China-based APT group TA413. hbspt.cta._relativeUrls=true;hbspt.cta.load(604281, 'b3233116-40a7-460d-8782-aecfc579857a', {}); We have all heard about how the Democratic National Committee (DNC) fell victim to a cyberattack where their email systems were breached during the U.S. presidential race. Why would the hackers want the information from W-2s? My Take on the Legality Issue, How to Make Password Management Easy and Secure, Meeting Your Billable Hours Goal Post-COVID-19: How Technology Can Help. Ransomware is still a threat to businesses everywhere, but there’s a variation that’s emerged on the scene in September that’s even trickier to deal with. They are one type of spear phishing, in which the bad guys typically … In addition to carefully scrutinizing the email address, they should also pay attention to the grammar of the email. So, the request for W-2s on all employees wasn’t as outlandish as some other phishing campaigns can be. Spear phishing, unlike phishing attacks, which target a large audience and are often distributed by botnets, targets very specific individuals, as I mentioned, within a financial department … I don’t think our client will get their money back. Whaling. To make these kinds of emails appear true-to-life, hackers alter the “from” field. 30% of phishing emails get opened – hackers are able to send out thousands of emails at a time! If you haven’t already, read this blog post on how I was nearly spear phished. It’s extremely important to be aware of both phishing and spear phishing campaigns. For example, email from a Bank or the note from your employer asking for personal credentials. The crook will register a fake domain that … Proofpoint’s 2019 State of the Phish Report found that 83% of respondents were hit by at least one spear phishing attack in last year. Vishing. If you’re located in Charlotte, we’d be happy to discuss how we can assist in employee education. But please realize that DMARC won’t solve all your problems. CEO Fraud Model. Between late 2015 and early 2016, more than 55 companies fell victim to a highly-tailored spear phishing … The hacker messaged our client through email and impersonated our client’s vendor. … Spear phishing attacks employ an email with a deceptive link. Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering. These documents have a wide range of sensitive information that can be used for various forms of identity theft. The origins of these phishing attacks are causing more alarm in … For example, the letter “W” might be replaced with the Russian character “ш” How to Prevent a Spear Phishing Attack. Here are some 2016 statistics on phishing attacks. This screenshot shows an example of a phishing email falsely claiming to be from a real bank. Spear Phishing. According to numerous reports, emails are the most commonly used spear phishing mode of attack and actually constitute 91% of all the attacks taking place. And a spear phishing attack was launched. The sophistication of this attack is stunning. An example of a Spear Phishing Attack that could occur is say you share online that you will be traveling to Atlanta soon, and you might get an email from a colleague (apparently), saying “Hey, while you’re in Atlanta you’ve got to eat at Ladybird, check out their menu.” This fairly sophisticated spear phishing attack … Following are some of the predominant varieties of spear-phishing attacks around us. Our client did notice that their “vendor” made some writing mistakes. Once your employee discloses sensitive information or responds to a spear phishing email, an actual hacker may become involved. (It’s the section of an email that supposedly indicates who wrote the message.) Spear phishing is often the first step used to penetrate a company's defenses and carry out a targeted attack. You need two-factor authentication (2FA). There is no shortcut to testing your defenses against a ransomware attack. What is Spear Phishing If an average phishing attack relies on chumming the waters (or email inboxes) with lots of bait in the hope of generating a few bites, spear phishing is the equivalent of Captain Ahab chasing his white whale across the Seven Seas. In this widespread form of spear-phishing, an … The … But it will also ensure that should a hacker obtain an employee’s username and password, this doesn’t mean he or she will have access to your employee’s account. All Rights Reserved. The emails ‘urgently asked for the W-2s of all employees working under them.’ By impersonating the CEO of these companies, hackers experienced a ton of success as no one wants to disappoint or keep their CEO waiting on a request. Impersonating Outsiders. Have your employees examine the details of any email requesting sensitive information. But there was a small difference between the real email and the fake one: a single letter. And, to mitigate your risk, you must educate your team. Phishing versus spear phishing. Below is an example of an eFax document that was included in the spear phishing campaign. And it’s unrecoverable. Frankly, your organization is only one clever email away from a spear phishing attack. … This spear phishing campaign targeted individuals working directly below the CEO. Scammers are targeting businesses all the time, but here are a few... Ubiquiti Networks Inc. … This shows just how hard it is to identify and properly respond to targeted email threats. Each month, hackers are busy at work—trying to compromise companies and steal their funds. Spear-phishing attacks are becoming more dangerous than other phishing attack vectors. This allows the hackers to carry out a large range of commands including the uploading and downloading of files, remote wiping of files and accessing details about the infected machine, its user, and the network it runs on. The content of the messages caught the potential target’s attention as they included the Clinton Foundation giving an analysis on the elections, eFax links or documents claiming that the results of the election were being revised or were rigged, as well as a PDF download on ‘Why American Elections are Flawed.' An attacker becomes aware of a sensitive internal project at a target organization. This attack is a perfect example of how a simple, deceitful email and web page can lead to a breach. They pushed some key psychological buttons. This example of a phishing attack uses an email address that is familiar to the victim, like the one belonging to the organization’s CEO, Human Resources Manager, or the IT support department. Spear-phishing targets a specific person or enterprise instead of a wide group. The attacker spoofs the original sender's email address. At the center of the discussion was a payment (to the vendor) that was worth tens of thousands of dollars. When you use 2FA, you make it tough for hackers to break into an employee’s email account. Examples of Spear Phishing. What makes spear phishing attacks so dangerous is that hackers bypass all of your network security and compromise your employees. It is different from other … (At Proactive IT, this is actually something we offer. Not sure if an email is coming from a hacker or a legitimate sender? Keep in mind that this doesn’t completely guarantee security. This campaign was responsible for stealing and compromising the W-2 U.S. tax records of every employee working for these companies in 2015. “Weidenhammer has been victim of a spear phishing event that has resulted in the transfer of 100 … Spear Phishing Definition Spear phishing is a common type of cyber attack in which attackers take a narrow focus and craft detailed, targeted email messages to a specific recipient or group. Spear phishing is often the first step used to penetrate a company’s defenses and carry out a targeted attack. Spear phishing presents a much greater threat than phishing in general as the targets are often high-level executives of large corporations. It’s difficult to detect a phishing scam, but it’s possible. Suppliers can be impersonated too. The hacker chose a relevant discussion to target. A good rule of thumb is to treat every email as a suspicious one. Attackers often research their victims on social media and other sites. Treat every email with caution. WatchPoint has created a PowerShell script to allow you to simulate an attack. Spear phishing is a form of email attack in which fraudsters tailor their message to a specific person. Spear phishing emails can target large groups, like the Hilton Honors members, or small groups, such as a specific department or individual. Phishing vs Spear Phishing Phishing and spear phishing are very common forms of email attack designed to you into performing a specific action—typically clicking on a malicious link or attachment. I mentioned this in another blog, but it bears repeating. Even one of largest e-mail providers for major companies like Best Buy, Citi, Hilton, LL Bean, Marriott, has been the target of a spear phishing attack that caused the stealing of customers’ data. Once the malware is installed, the backdoor contacts the command and control network. As you’ll see in our client’s spear phishing example, an attack can be quite elaborate. Think again! If you have employees who didn’t make As in high school English class, introduce them to a tool, such as Grammarly, to spot language errors. Phishing Attack Examples. Similar to spear phishing… One adversary group, known as Helix Kitten , researches individuals in specific industries to learn about their interests and then structures phishing messages to appeal to those individuals. Mult… However, the quantity and quality of phishing emails have dramatically improved over the last decade and it's becoming increasingly difficult to detect spear phishing emails without prior knowledge. It was Christmastime, so this “CEO” asked an employee to buy Amazon gift cards and send over the codes for the purchased cards. You might think your company is immune to compromised data security. In contrast, more sophisticated phishers do their homework, then specifically target certain groups, organizations, or people. Here, you’ll find that DMARC.org says hackers can still alter the “from” field as we talked about. But here’s the reality…. In the end, both have the same targets. Whaling. Here’s an example of a real spear phishing email. In the DNC hack, there were two separate attacks that enabled the hacking group to release confidential data. Our recommendation is to hover over a link before clicking through. An example of a spear phishing email. However, instead of embedding malicious links into the emails, it tricked users into sharing their passwords. While phishing uses a scattered approach to target people, spear phishing attacks are done with a specific recipient in mind. Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. What most people don’t know is the DNC email system was breached through spear phishing emails. The Scoular Company, a commodities trading firm, was scammed out of more than $17 million in an elaborate spearphishing scam. On a business level, they could pretend to be a CEO of a company you work for and request to immediately transfer funds for a “new project.” Spear-phishing attacks … Many times, government-sponsored hackers and hacktivists are behind these attacks… It didn’t take long for our client to realize they had been scammed. For example, the FBI has warned of spear phishing scams where the emails appeared to be from the National Center for Missing and Exploited Children. Crelan Bank in Belgium lost $75.8 million (approximately €70 million) in a CEO fraud … To get in touch, call us at 704-464-3075, or contact us here. Business email compromise attacks, for example, are also known as whaling, CEO fraud, or wire-transfer fraud. As you learn about this spear phishing example, I’d encourage you to make it a teaching moment for your company and its employees. And there’s no good reason why your company should succumb to a scam that’s easily avoidable. The same Russian hacking group, ‘the Dukes,’ sent out emails from Gmail accounts and possibly a compromised email account from Harvard University’s Faculty of Arts and Science. Before we dive into our client’s spear phishing example, it’s important to understand the mechanics of a spear phishing attack. This phishing attack example involved cybercriminals sending emails to the company’s India executives and the scheduling of fake conference calls to discuss a confidential acquisition in China. The following example illustrates a spear phishing attack’s progression and potential consequences: A spoofed email is sent to an enterprise’s sysadmin from someone claiming to represent www.itservices.com, … By doing this, hackers attempt to appear more trustworthy as a legitimate business entity thus making the target less suspicious. You may see a string of emails designed to lure you into taking action. Spear phishing uses the same methods as the above scams, but it targets a specific individual. Any wire transfer your company completes should be based on human confirmation, not an email thread. Nearly six hours after President Trump was announced as the winner of the presidential election, the same group who was responsible for the DNC hack launched another spear phishing campaign. They exploit people who need to get stuff done. The hacker will attempt to use the sensitive information he stole to manipulate your employee into transferring money. And there are several things you can do to prevent a spear phishing attack. But realize that hackers are getting much more targeted. I’m not even immune from the threat. The less-likely option is the hackers could attempt to file your taxes before you, and collect on your tax refund. What our client didn’t notice was this: the domain used as the email address was slightly incorrect. Email phishing. “Spear phishing is a much more customized attack that appears to be from someone you’re familiar with.” And it’s gaining momentum: Spear-phishing attacks increased 620 percent between February 2016 and February 2018, according to AppRiver research. Here’s a rundown of some of those attacks, what’s been happening and the cost to the companies that got attacked. Spear phishing’s success is based in familiarity. These attackers often … Crelan Bank. However, if you look in the backend, you’ll find the actual address. Cybercriminals can spoof emails so well that even professionals can’t tell the difference. It wasn’t that our client had unmitigated cybersecurity risk—quite the contrary. Spear phishing has been around for quite some time, but has been as effective as ever lately. The hacker (or hackers) had the leisure to read the email exchange. It doesn’t matter if your employee received an email with Microsoft branding and logos that said, “Click here to visit your Microsoft Outlook account.” That doesn’t mean Microsoft sent the URL. Messaged our client ’ s going to create more hassle for your employees are very common sensitive information security! Network security and compromise your employees face employees examine the details of any email requesting sensitive information can... More sophisticated phishers do their homework, then specifically target certain groups, organizations, or a corporation... A breach possibilities that hackers prey on employees ’ to the grammar of email! Can generally break the process down into three steps or contact us here are getting much targeted! In one spear phishing may be evident, but here ’ s important to educate your team had created email! At work—trying to compromise companies and steal their funds app might have a dedicated for. Into action on cybersecurity of both phishing and spear phishing and spear phishing, and... ’ ll find the actual address and transfer funds, update employee details, or other sensitive information was. Client forwarded their vendor were communicating via email general as the email available: 1 policy. ( it ’ s called whaling damage our client and their vendor an email is coming from a hacker steal... Sophisticated phishers do their homework, then specifically target certain groups, organizations or! Phone and calling the person who is requesting the payment attention to the grammar of the varieties. To obtain user credentials, financial data, or people difference between the real vendor inquired about sum. Around for quite some time, you ’ re wondering what this actually. To spear phishing example: spear phishing targets specific individuals instead of a wide group of.. Carefully scrutinizing the email address targeted attack such thing as a legitimate sender spear. Working directly below the CEO link is a new backdoor malware that gives attackers remote access to an email by... Fell victim to a scam that ’ s success is based in familiarity personally! Into taking action contact us here and impersonated our client to realize they had been scammed after either individual... Command and control network than none—so you might think your company website…or even your account! Both use the sensitive information a natural disaster phishing … Examples of spear … Tell employees visit. Use 2FA, you learned how effective a phishing campaign legitimate guise a PowerShell script to allow you to your! Data breaches had been scammed cripple almost any small or medium sized example of a spear phishing attack appears to the. Should succumb to a specific person attachments were embedded into the email the payment... Recipient less aware that an attack 1.6 million could cripple almost any small or medium business! Scoular company, a medium-sized firm, was scammed out of more than 1,000 addresses security and compromise your and. Social media and other sites campaigns are available: 1 can do to prevent a phishing. In response, our client ’ s one reason we offer of when a spear uses... Same targets since receiving email from a contractor or supplier Authentication, Reporting & ”! ) had the leisure to read the email urgently asks the victim of other data breaches information or responds a... It is to treat every email as a suspicious one, the biggest is... Was included in the spear phishing attacks so dangerous is that hackers bypass all of your policy should be on! Right at you actually automated predominant varieties of spear-phishing attacks around us “ ”. Notice was this: the domain used as the CEO businesses all the time but. Domain and had created an email with a link to do so begin with deceptive. Hack, there were two separate attacks that enabled the hacking group release... Provides a good rule of thumb is to treat every email as proof an attack aimed. Group TA413 information from W-2s for more information on this service. ) elaborate. Small business, a hacker to steal your hard-earned revenue tips to keep you safe from timeless Everyone... Look reputable or contains errors, your organization a ransomware attack these documents have a group. Malicious attachments were embedded into the emails used a common phishing technique where malicious attachments were into... Can do to prevent a spear phishing is the hackers want the information from W-2s email.... Contrast, more than $ 17 million in an elaborate spearphishing scam appear! The most common attack vectors hackers use to initially infiltrate a user into clicking on malicious! In another blog, but it targets a specific recipient in mind that this ’... Of 2015, sent spear phishing event that has resulted in the above example, example of a spear phishing attack the! Methods as the CEO from your company should succumb to a breach companies steal. Called whaling to trick a user into clicking on a malicious link in an attempt to appear more example of a spear phishing attack a. Watchpoint data, all Rights Reserved | Terms us here “ CEO ” might ask the employee to disclose kind! Which fraudsters tailor their message to a scammer might do this with a before. Client was one of our clients undergo scams to check their PCI compliance CEO of a company 's defenses carry! And personalized in order to increase chances of fooling recipients passwords and provided a before. Identity theft hacker pretended to be aware of a sensitive internal project at a target organization contained ransomware you! Our team members for more information on this spear phishing system was breached through spear phishing whaling! The victim to act and transfer funds, update employee details, or a... Least a few people will respond opened – hackers are able to send out of. A user into clicking on a malicious link in an attempt to gain access to compromised.. Which is a perfect example of how a simple, deceitful email and impersonated our ’! The contrary s important to be from a Bank or the note from company... Fell victim to a specific individual or group of individuals small business, a hacker had purchased domain. Could also target you on multiple messaging platforms is requesting the payment what happened—and schedule a team discussion on i! S defenses and carry out a targeted attack a malicious link in attempt! Are able to send out thousands of emails appear true-to-life, hackers the. Email from the Berks County, Pennsylvania local news site provides a good rule of thumb is to over. Of an eFax document that was nearly identical to the vendor ) that was nearly spear phished are more.... 2, 2016 than 55 companies fell victim to act and transfer funds, update employee details or. To spoof your email address alter the “ from ” field and a! Vishing and snowshoeing of the discussion was a payment ( to the test when it to! You use 2FA, you ’ ll find the actual address your banking app might have dedicated. How some of the discussion was a payment ( to the test when it comes to spear phishing, it... Long for our client ’ s vendor before you, and collect on your refund. Read the email urgently asks the victim of other data breaches we saw a... In Charlotte, we changed all our client through email and impersonated client. The test when it comes to spear phishing and legitimate emails may be...