(Credit:Zain bin Awais/PCMag composite)
What’s the shadiest email you received this week? I’ve already had two likely phishing attempts land in my work inbox, and I’m pretty sure neither one is a training exercise from our IT department. I’m not alone, as dodging constant, targeted, so-called “spear phishing” attempts is now a hallmark of the modern, white-collar workplace. It’s not just a problem at work, either. Targeted phishing attacks can also reach your personal inbox.
The best way to fight back against spear phishing is to know what you’re up against. Let’s first examine how a spear phishing attack works, and then consider some steps to secure your accounts against these tactics.
What Is Spear Phishing?
Spear phishing refers to emails or other commonly used forms of communication that are targeted toward one person or a specific group of people that contain links to fake websites, malware, or other phishing materials. Criminals do this to get access to a company’s systems or an individual’s account in order to commit fraud or other financial crimes.
You don’t need to be a corporate executive to become a spear phishing target, and you don’t need to be a high-profile personality to grab attention, either. These types of scammers target individuals from all walks of life, as everyone has secrets to conceal or money to steal. Spear phishing can happen to anyone who is capable of clicking on a link or opening an attachment.
In the past, criminals spent a lot of time finding viable targets. They’d expend just as much effort to gain a person’s trust using personalized messages, phone calls, or texts. Now, generative AI tools make it incredibly easy to create custom, targeted messages and send them to every person within a company, or to members of a church, or to specific individuals, such as activists, journalists, or politicians.
AI chatbots can even create phishing websites that appear to be legitimate corporate pages, banking platforms, or websites related to gaming, shopping, or banking. However, when you enter sensitive data, such as a password, credit card number, or bank account number, that information doesn't go to a legitimate business. Instead, that data goes straight to a criminal. The scary part? They may not use your information right away, which can make it hard to know if you’ve been phished.
How Does Spear Phishing Work?
In the seminal work of combat philosophy, The Art of War, author Sun Tzu writes, “Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.”
That’s a spear phishing scam in a nutshell. The scammer wants you to interact with their email or other correspondence like you would with any other message: quickly and without questioning. They wait for the right time and catch you off guard, leading you to click on a phishing link.
These scammers may be trying to get your browser’s session cookies. They can then use the breached login credentials, along with the stolen tokens, to bypass any multi-factor authentication (MFA) measures.
To further illustrate the spear phishing scam process, I put together the following “to-do list” for wannabe attackers. I’ll also provide some suggestions for addressing these steps at the end of this article.
Step 1: Identify Your Spear Phishing Target
Criminals target individuals who are known to use weak credentials or may have demonstrated lax cybersecurity habits on other platforms, such as social media apps and shopping websites. Scammers know who uses weak credentials because their passwords and other sensitive data are on the dark web. It got there, in part, because companies have been losing our login information to hackers for years via data breaches. Eventually, that information ends up on the dark web as part of a data breach report. AI makes quick work of creating dossiers for potential targets that include previously used passwords and other credentials.
Step 2: Operation: Contact and Convince
Here’s where the social engineering part of the scam comes in. AI tools can efficiently gather and organize the information described above. That data becomes fodder for customized emails, phone calls, or text messages designed to convince the target to click on a malicious link.
Criminals are also using social media sites to find targets. For example, fake, AI-generated profiles on LinkedIn sending out links to malware or phishing sites have been a problem for a few years. Attackers can also use breached account credentials to take over abandoned or little-used LinkedIn profiles to contact employees via LinkedIn DMs and deliver malicious links.
The links direct victims to fake websites created by the criminal, often with the assistance of AI or a pre-made phishing kit. That’s right, being a hacker doesn’t require killer coding skills or connections to the criminal underworld. Instead, you can just buy a $40 phishing kit on the open web from a phishing-as-a-service (PhaaS) vendor, which contains all of the tools needed to steal an employee’s session cookies, then bypass MFA.
Step 3: Wait and See
Once inside the account, the criminal spies on the person or organization’s activities while collecting blackmail material or installing malware for leverage in a ransom situation, but that’s not where the story ends.
Some hackers uncover data in breached accounts that helps them find even juicier targets. For example, a scammer who gets into your email or social accounts may be able to access your friends and family members’ contact information, along with personal messages they’ve sent to you. The criminal can use those secrets to damage your loved ones’ reputations or demand money from them, all while impersonating you.
At work, the fallout from phishing-related security breaches can persist for an extended period, especially if employees continue to use compromised credentials. That’s because, as a report from Heimdal Security states, some enterprising criminals create phishing kits that automatically send a copy of companies’ stolen data to the PhaaS creator. The phishing kit author may sell that data to other interested parties or use it for future criminal plans.
Those plans may include a ransomware attack. According to researchers at SpyCloud, an identity protection solutions company, 35% of businesses affected by a ransomware attack cited phishing as a cause. SpyCloud’s chief product officer, Damon Fleury, said that many corporate cybersecurity threats aren't external. Instead, the threats “often come from within, whether through malicious intent or compromised insiders." Fleury also said that employees who are unaware they've been phished pose a significant threat to corporations, as do contractors who use exposed credentials.
How to Protect Against Spear Phishing Attacks
To briefly return to The Art of War, Sun Tzu’s words offer a way to secure yourself from any kind of cybercrime: “Rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him.”
Use a Password Manager
Breached or otherwise compromised login credentials are an easy “in” for criminals. If you’re using guessable passwords or if you use the same password for every online account, say “Hi!” to the hackers. If they haven’t already come for your accounts, they will, eventually.
A password manager is the best solution to combat the fallout from spear phishing attacks, as it can generate long, unique passwords with a single click and then fill them in for you. Plus, password managers won’t autofill your credentials on pages that don’t match the site your password is tied to, so phishing sites don’t get your credentials. The best will even warn you that you’re on a phishing site, so you don’t try to log in manually. You don’t have to remember anything or really do anything beyond downloading the app or browser extension. It’s a very easy way to secure all your accounts, and I’ve reviewed the best apps available.
My top recommendation is Editors’ Choice winner NordPass, because it is affordable and easy to use, with apps designed to work on every device you own. NordPass also offers reasonably priced plans for corporate accounts, and each employee receives a free personal account as well. Proton Pass is another Editors’ Choice winner, and that’s because it’s a totally free password manager with a host of helpful features, like email-masking, password hygiene tools, and data breach monitoring.
Practice Good Internet Hygiene
It’s always best to be prepared for an online attack rather than responding to one after it happens. Every person with an email address is a potential target for cybercrime, making awareness through education essential.
The easiest way to check if a link is a phishing trap is to hover your mouse over a link in an email to ensure that the URL is legitimate. Additionally, consider following up urgent-sounding emails or text messages with phone calls or in-person confirmation to ensure prompt attention. If you receive an email from a service you actually use but are unsure if it’s valid, open a new tab and visit the site directly; don’t click the link at all. Better yet, call customer service and let them know you got the email, and ask if any action is required from you. These actions could stop an in-progress spear phishing scam.