Advanced phishing

How spear phishing attacks catch employees out

by Egress
Published on 21st Dec 2021

Spear phishing attacks are highly targeted attempts to scam victims into handing over personal information or login details or install malware unwittingly. It's a particular problem in a business setting, which offers a sweet spot of multiple high-opportunity targets. Fortunately, tools such as Egress Defend can make the scammers' task dramatically harder.

Spear phishing defined

Standard phishing attacks often play a numbers game, sometimes described as a spray-and-pray attack. The scammers get the bogus emails out to as many people as possible, knowing that even if the likelihood of any individual being fooled is low, the sheer number of targets offers a decent chance of overall success.

"Spear phishing" is a pun but also an apt description. It's all about targeting a small number of potential victims and putting in extra effort to make phishing emails more plausible and convincing, such as personalizing the content or posing as a trusted contact. The goal is not just a much-higher hit rate but a very particular set of victims, often with the ultimate goal of compromising an entire business rather than accessing a random consumer's information.

Preparation is key

One big downside of the information age is that cyber criminals have much more available data to work with. Between business websites, social media and networking tools, it's all too easy to find details about key players in companies, the corporate structure, and ongoing projects. Put in a bit of work, and you can find plenty of detail to make phishing emails to business users seem more authentic.

Imitation is a dangerous form of flattery

Most consumer-targeted phishing involves a false identity, whether it's a "friend" sharing a file or link or a "bank" pushing somebody toward a fake login page. With spear phishing, the easiest way past a victim's psychological defence is to pose as a colleague, manager or client. Not only is the average staff member much more open to responding to such a message, but they may even fear the consequences of delaying doing so. That fear can overcome any scepticism about whether a message is genuine.

Playing the long game

Because spear phishing's "business model" isn't based on a high volume/low effort approach, the scammers can afford to take their time. A surprisingly common approach is to start by exchanging "legitimate" messages that don't pose any security risk. 

Instead, the goal is to build trust with the recipient and even get around internal security tools that take into account the history of exchanges with a contact when assessing their threat potential. Depending on the scammer, this tactic could involve:

  • manually writing messages and responding to the victim;
  • using a cut-and-paste approach of boilerplate text to simulate genuine exchanges; or even
  • using AI and machine learning to generate credible responses to the victim's messages.

The ultimate goal

As with most phishing scams, spear phishing can involve trying to get login details from the user. That can be more difficult in a business context, though, as the scammers don't always have as much opportunity to create plausible login pages from an internal system such as a corporate network.

Instead, the scammers will often use malicious links or file attachments to distribute malware, for example, to harvest data, gain access to other parts of a network, or unleash a ransomware attack. The goal, in this case, is to use the fake identity and the "established relationship" to lower the victim's defences and overcome their natural scepticism about opening a link or file.

The Egress Defend solution

Egress Defend is specially designed to prevent email-based attacks such as spear phishing. It uses automated but intelligent techniques to assess every email without delays that could limit workflow. The techniques include a technical breakdown of the message's delivery and content and a linguistical analysis looking for suspicious phrasing.

The system can then warn both IT administrators and message recipients when a message is suspicious. It does this in a meaningful and practical manner, giving clear signals of the level of risk, what fuels the suspicion, and what steps the user should take in response.


How do you detect phishing attacks?

You can detect phishing attacks by ensuring emails are from the correct sender – they might have misspellings in the sender’s address, in the body of the email, or both.  Avoid emails demanding urgency, if an unknown sender asks you to click or a link or download a file, or if the sender’s address is from a public domain.

What are the three steps of a phishing attack?

The three steps of a phishing attack include the following:

  1. Baiting: Threat actors learn which services businesses use.
  2. Hooking: After they know what services the business uses, they craft a message “scaring” them into action.
  3. Catching: Her’s where the actual attack occurs, whereby threat actors send the malicious message.

What makes a phishing attack successful?

Threat actors create malicious messages to look as authentic as possible using designs, images, language, and email addresses. That way, they look legitimate if employees don’t conduct a thorough inspection. These attacks are often successful if victims lack security software or don’t have adequate security training.