Unraveling The Many Facets Of Phishing Attacks For Robust Spear Phishing Protection
Detailed examples and suggest ways to prevent spear phishing threats.
E-mail phishing attacks usually disguise organizations with a vast user base and send e-mail notifications to customers, which appear to be from the enterprise itself. These notifications create a sense of urgency and prompt a quick call-to-action from the victim. Using this social engineering technique, the attackers make the prospective victims click on links attached in the e-mail. These links lead users to a spoofed or fraudulent website to extract sensitive details of the victims.
Cybercriminals use the same modus-operandi in case of a spear-phishing attack. However, the e-mails do not come from big companies in this case. The e-mails appear to be from a person known to the victim, most superior in the same organization. He/she presents a situation requiring the immediate attention of the victim. Spear phishing protection becomes difficult for an ordinary person as such e-mails hardly ever arouse any suspicion. And in case a mail is from a superior, the receiver seldom cross-checks and verifies the details in the e-mail.
How Common Is Spear Phishing?
For robust spear phishing protection, it is essential to accurately evaluate the strengths and achievements of the adversary before working on improving one’s security. Hence, we present the following statistics to highlight the prevalence of spear phishing and the extent to which these attacks affect people.
The Symantec Internet Security Threat Report 2018 pointed out that 71.4% of all targeted attacks involved the use of spear-phishing e-mails marking an 80% increase in malware attacks on Macs.
The Phishing and the Verizon Data Breach Investigation Report states that 28% of phishing attacks are targeted spear-phishing attempts. It also reported that 90% of incidents and breaches included a phishing element and 93% of all social attacks were in some way related to phishing.
As per the 2019 Data Breach Investigations Report of Verizon, 32% of the data breaches in 2018 involved some phishing activity, and phishing was present in 78% of Cyber-Espionage incidents and the installation and use of backdoors.
In yet another report by Avanan, 1 out of every 99 e-mails is a phishing attack. It means that 4.8 e-mails per employee in a week of five working days, are phished e-mails.
The Most Recent Spear Phishing Attack That Crippled A Canadian Bank
With the alarming figures, it is not surprising to note that spear-phishing attacks are very rampant in today’s cyber world. This example of an attack on a Canadian bank that brought down all its systems and stopped work is petrifying. It highlights the implications of falling prey to a spear-phishing attack.
- The incident happened in a mid-sized East Coast bank which received a request for 1,000 bitcoins.
- The hackers threatened the bank that if the amount requested isn’t paid; then the bank shall suffer the consequences of their systems going down.
- Unfortunately, the bank authorities decided to ignore this threat.
- Consequently, millions of e-mails were sent by the attackers to the local consumers and businesses impersonating the bank.
- It not only produced a negative impact on the bank’s brand but also prompted the bank’s ISP to shut down the e-mail service of the bank.
- The attack almost crippled the bank, making them incapable of fostering any communication whatsoever.
A Look at Other Real-Life Spear Phishing Examples
Spear phishing protection is still an uphill task for organizations because these attacks are hard to trace. However, observance teaches a lot more than mere bookish knowledge. Here is a list of few spear phishing examples to give readers an idea of the rising threat of spear-phishing attacks.
The Attack On Alcoa
In an attack which took place a decade ago, the Chinese Military forces sent out spear-phishing e-mails to the employees of the American aluminum supplier Alcoa. The attackers impersonated a board member and sent out e-mails to several employees. Once opened, the e-mails automatically installed malware onto the computers of the employees. The repercussion of this attack was a severe and inevitable loss of about 3,000 e-mails and over 800 attachments.
The Amazon Attack
Usually, we hear of phishing attacks using the brand name of big organizations like Amazon or PayPal. There was a spear-phishing attack targeting Amazon customers which took place in 2015. The attack specifically targeted those customers of Amazon, who had recently placed an order with the shopping website. Thus the e-mail was framed in such a way that it invoked little or no suspicion in the minds of the victims. Opening the e-mail was enough to install the ransomware that the attackers were propagating.
The RSA Attack
Yet another spear-phishing attack that jerked the cybersecurity world was the attack on the security firm RSA in the year 2011. This attack targeted two groups within the company and sent spear-phishing e-mails with the subject: “2011 Recruitment Plan.” While the e-mail was auto marked spam, one employee still managed to open it. And that was all that the adversaries wanted! Opening the e-mail installed a form of malware onto the computer giving the attacker complete access and the ability to steal sensitive data.
The Attack On Electronic Frontier Foundation
The attackers targeted the subscribers of Electronic Frontier Foundation (EFF) in a spear-phishing attack back in 2015. They redirected the victims to a fraudulent website Electronicfrontierfoundation.org which when opened, distributed keyloggers and other malware. However, the EFF took charge of the domain and controlled things after discovering the scam.
How To Prevent Spear Phishing Attacks?
Now that we know the enormous impact of spear phishing attacks on the functioning of a system and organization, it is prudent to take measures to ensure spear phishing protection. But how to prevent spear phishing attacks? Let us look at the various steps to avoid spear phishing attacks:
Having a strong password is the key to preventing attackers from gaining access to our private accounts or files. However, merely having a decipherable and robust password isn’t enough. We must be responsible enough to change our password time to time so that the vicious attackers do not find any leeway.
As responsible and alert users of the web, we must make it a point to update the software on our devices regularly. The software update installs all patches for the existing security loopholes and offers better protection against spear-phishing threats.
Privacy On Social Media
Often, spear-phishing attacks derive information about our private lives from our social media handles, where we mention our preferences, occupation, relatives, colleagues, etc. This information is akin to gold for hackers. Hence, it is prudent to limit the amount of information we put on social media.
Avoid E-mail Attachments
We must resist the urge of opening the attachments that come with e-mails. Even if an e-mail might not seem suspicious initially, it might contain elements that can stop the functioning of the system.
Analysis Of E-mails
Not all e-mail subjects that beg for immediate attention deserve immediate attention. Skim through, reason with yourself and only when convinced that a mail from such a source was on the cards should you open an e-mail. These days not all e-mails are dependent on attachments and URLs to install malware. Some of them function by a mere click! So, always be vigilant.
From the above discussion, we can conclude that the incidents of spear-phishing attacks are rising by the day. Awareness about the issue is crucial for spear phishing protection. All employees must be regularly trained and told to be cautious and vigil. These attacks can defraud individuals and businesses out of millions of dollars.