What is spear phishing?

What is spear phishing?

For many people, hearing the phrase ‘spear phishing’ conjures up images of intrepid divers hunting for their dinner in azure seas. However, much like ‘trojan horse’ the term has come to meet something quite different.

According to research, 50% of businesses were victims of spear phishing in 2022, with the typical organisation receiving 5 attacks daily. So the threat is real. But how does a spear phishing attack work? How does it differ from a phishing attack? Most critically, what can your business do to protect itself?

How a spear phishing attack works

Spear phishing is a form of phishing attack. However, unlike the ‘spray and pray’ approach of a conventional attack, spear phishing targets specific individuals, usually within a single organisation. The ‘spear’ in its name reflects this specific targeting.

A spear-phishing attack typically aims to gain privileged access. This is used to steal sensitive data or infect the target (and often their wider network) with malware.

Unlike your common-or-garden phishing attack, spear phishers assiduously research their targets. They do this so that the eventual attack appears to come from a trusted source, such as a boss or client. Spear phishing also uses social engineering techniques to dupe the victim into clicking on a link or granting access. 

Let’s delve a little deeper into how it works.

Trying to protect your business on a budget? Start by reading our guide.

Anatomy of a spear phishing attack

We’ve established what a spear phishing attack is, but how do they work? Typically, a spear phishing attack has five stages. These are:

1. Goal setting 

The first stage is a simple one. After deciding to turn to crime, the bad guys start by plotting out what they want to achieve with the attack. It could be stealing ransomable data, causing disruption or myriad other goals.

2. Picking the target(s)

This stage usually involves a round of preliminary research. Which organisation should they target? Who works at the business they want to target? Are they likely to have access to the data or systems they want to access? Who are the senior leaders within the target organisation? How can they be reached?

These are the questions a cybercriminal will seek to answer as they lay the groundwork. Once they have, it’s time to go a level deeper.

3. Building a profile of the victim(s)

By now, the cybercriminals should have a solid idea of which organisation they want to attack and who within it makes the best targets. Next, it’s a case of getting to know their victims. 

Spear phishers scour social media profiles and platforms like LinkedIn to discover contact details, the victim’s network of family and friends, business contacts, where they shop or bank, and even places they frequent. This information allows cybercriminals to build a rich profile of who the target is, allowing them to tailor the scam specifically to the victim.

4. Initiate contact and use social engineering techniques

Now the scheme has been devised, the cybercriminals launch their attack. Spear phishing emails usually use social engineering techniques such as creating a sense of urgency, trust or authority. The key to a good spear phishing scam is that it appears legitimate because the ‘sender’ is an individual or company the victim regularly engages with and contains at least some, authentic information.

The most expensive spear phishing attacks of all time

1. Google and Facebook 

This is perhaps the most famous phishing scam of all time. Between 2013 and 2015, Google and Facebook fell prey to a £77m Spear phishing campaign. Essentially, a Lithuanian cybercriminal named Evaldas Rimasauskas posed as an Asian supplier of both companies, sending fake invoices to key leadership figures within the tech firms. 

Rimasauskas was eventually caught but not before he’d managed to defraud two of the largest companies in the world out of an eye-watering sum. 

2. Ubiquiti Networks 

In 2015, networking giant Ubiquiti was hit with a £36.7m spear phishing campaign. According to the company’s statement on the breach, it resulted from “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.” In other words, the company fell victim to a classic spear phishing attack. 

3. Colonial Pipeline 

Of all the incidents on this list, the Colonial Pipeline attack in 2021 is the most sinister. It remains the largest publicly disclosed attack on US infrastructure to date. The breach was so serious that the US government considered it a national security threat. 

The attack had several stages. First, the hacker group DarkSide discovered a vulnerability exposed in a previous breach. A Colonial Pipeline employee had likely used the same VPN password in another location, exposing the company’s network.

Next, the hackers used this password to access the Colonial Pipeline, stealing over 100 gigabytes of data in just two hours. Following this, DarkSide injected the network with ransomware that infected several systems, including billing and accounting.

We don’t have a definitive figure for how much the breach cost Colonial Pipeline. We know the company paid DarkSide £3.47m for the decryption key for the ransomed data. However, the real losses could have been astronomical. Colonial Pipeline supplies oil to the entire US East Coast and the attack shut down its operations for a week. This meant the non-delivery of approximately 20 billion gallons of oil, worth around £2.7 billion at the time.

Spear phishing affects small businesses too 

Although all of the examples above feature globe-bestriding businesses, this doesn’t mean there’s no threat to small businesses. Unfortunately, nothing could be further from the truth.
According to research, on average the employee of a small business will experience 350% more phishing and social engineering attacks than a staff member at a larger enterprise. 

Why? Well, while cybercriminals are undoubtedly motivated by the prestige and financial rewards that come with the scalp of a global enterprise, small businesses represent an easy target.

SMEs typically have weaker defences and less developed cybersecurity practices than their corporate counterparts, for one. However, that’s not the only reason. SMEs’ employees can often be turned more easily to a cybercriminal’s malicious ends, whether through actively colluding with criminals or negligence.

Indeed, CyberSmart’s research revealed that 22% of SME leaders believe employees are more likely to make mistakes – such as clicking on a phishing link – since the cost of living crisis began. Meanwhile, 20% believe employees will steal sensitive or proprietary data from the company to sell for profit or a competitive advantage.

How to protect your business 

There’s no denying that small businesses are vulnerable to spear phishing attacks. Nevertheless, becoming a victim of this kind of breach isn’t inevitable. There are plenty of things you can do to ensure your business is protected.

1. Use a VPN 

A virtual private network (VPN) is essential for remote working. If your business employs anyone who accesses company systems through a network that isn’t your own, even if only occasionally, you need one. Unsecured networks pose a huge threat to your business which a VPN can easily counter. 

Rather than using the public network, a VPN routes your traffic through specialised servers and encrypts your data. This makes it virtually impossible for cybercriminals to break in through a public network (unless they have the password or encryption key as we saw in the Colonial Pipeline case).

2. Staff training 

As mentioned earlier, Spear Phishing relies on social engineering techniques, using our human nature against us. This is tricky to counter, but not impossible. Cybersecurity awareness training can help your people recognise when they’re being targeted and give them the skills they need to avoid it.

3. Patch all software

Patching is very important to cybersecurity and the good news is that it’s simple. All you need to do is update all software with the patches providers release. This will stop cybercriminals from exploiting any vulnerabilities in providers’ software to access your business.

4. Deploy MFA

Like VPNs multi-factor authentication (MFA) adds an extra layer of security for your business, making it much harder for hackers to gain access. You likely already use MFA in some aspect of your online life, it’s now a requirement for most banking accounts. But if you haven’t already, switch it on for any system or application your business uses.

5. Protect your network 

Your network is the gateway to your business. It’s what spear phishers are ultimately trying to gain access to when they attack you. Through it, a hacker can access just about anything your organisation does. So protect it, and protect it well. The four most simple things you can do to strengthen your network immediately are:

  • Install a network firewall to filter network traffic
  • Use a VPN to encrypt network traffic
  • Segment your network to eliminate single points of failure
  • Regularly update your router’s firmware

6. Always use back-ups 

If the worst does happen and a spear phishing attack succeeds in stealing information, data backups can mitigate the worst effects. Not only will it enable you to minimise disruption by getting systems back up and running quickly, but it’ll also weaken cybercriminals’ bargaining power if there’s a ransom to be paid.

7. Limit user access

Be careful to limit who has access to what within your business. Users should only have admin rights within a system or application if it’s critical for their role. The reason for this is simple; if a cybercriminal compromises a user account through a spear phishing campaign, the fewer permissions that account has the less damage a hacker can do.

8. Tie it all together 

If the list above appears extensive, don’t fear, there are methods which allow you to tie it all together. The first is to complete a cybersecurity accreditation like Cyber Essentials or ISO27001 certification. These certifications can help you put in place good cybersecurity practices (including all of the above) and build your cyber confidence.

However, you also need something that keeps your cybersecurity baseline consistently high, year-round. This is where everyday cyber protection tools like CyberSmart Active Protect can help.

Finally, none of this has to cost the earth. For more on how to protect your business on a budget, check out our guide.

Cost of living CTA 2

The top cybersecurity trends of 2020: how did we do?

Cybersecurity trends of 2020

The leaves have well and truly fallen, it’s bitterly cold, and Christmas is just around the corner. This can mean only one thing. It’s that very special time of year when every business releases a ‘things to look out for’ or ‘top ten trends’ post for the year ahead – cue jokes about identikit blog posts.

So, we thought we would do something a little different this year. Rather than repeat last year’s guide to cybersecurity trends for SMEs, we thought we’d look back at how we did. Where were we right on the money? And what are we eating a hefty portion of festive humble pie over?

Of course, the elephant in the room is the COVID-19 pandemic, an event virtually no one predicted. And its effects will keep cropping up throughout this blog. 

1. Increased use of AI to launch and defend against attacks

First up, AI. Back in January, we discussed the likelihood of cybercriminals increasing their use of automated attacks in 2020. We cited cybersecurity and AI expert, Justin Fier of Darktrace who predicted “AI won’t just make attacks faster or smarter. We likely can’t even fathom the way that AI will transform attacks or be leveraged by malicious actors. What we do know is that with AI attacks on the horizon, AI defences will be critical as well.”

How we did

We’d like to think we were pretty spot on with this one. AI attacks continue to plague the nightmares of security professionals. A September 2020 study from Forrester found that 88% of security professionals expect AI-driven attacks will soon become mainstream.

88% of security professionals expect AI-driven attacks will soon become mainstream. 

What’s more, there were several high-profile attacks using AI in 2020. The spear-phishing (more on that later) attack on COVID-19 vaccine supply chains is thought to have been carried out using an AI. Meanwhile, both the Vancouver Metro system and the Argentine government suffered highly coordinated ransomware attacks, thought to be backed by an AI. 

While you don’t have to be Nostrodamus to predict that as AI technology becomes more widely available attacks will increase, it’s clear that it has become a rapidly growing threat. So much so that Europol issued a warning earlier this year that cybercriminals now have both the expertise and tools to use AI regularly. 

It’s in this environment that we’re continuing our research into using AI and machine learning for cybersecurity defences.

2. Spear phishing: phishing attacks get personal

Spear phishing is the practice of sending out highly targeted, personalised emails to company employees and executives in a specific business, rather than a generic attack sent to thousands of random email addresses. Once clicked, these emails infect the user’s computer or device with malware. 

We predicted this type of attack would become more common in 2020, as cybercriminals learned to target time-poor executives and undertrained employees. 

How we did 

While our instinct was good, we couldn’t have predicted just how prevalent spear-phishing attacks would become in 2020. There were many high profile attacks, including Twitter, but most alarming was, of course, the attack on COVID-19 vaccine supply chains we mentioned earlier. 

And there were plenty more breaches that didn’t make the front pages. According to a report from the Anti Phishing Working Group, the average loss to organisations from business email compromise (or spear-phishing) attacks in the second quarter of 2020 was $80,183 (£59,353). Even more alarmingly, that figure represents a $54,000 (£39,972) on the first quarter of this year, almost perfectly mirroring the global switch to remote working due to the pandemic.

The average loss to organisations from spear-phishing attacks in the second quarter of 2020 was $80,183 (£59,353)

You can find out more about how to switch to remote working safely in our latest ebook.

3. Organisations are adopting more data encryption

At the beginning of 2020, we were confident this year would be encryption’s time to shine at last. We hoped that the tool would finally gain widespread adoption, helping businesses to shut down most cyberattacks before they start. And we based this prediction on the 2019 Global Encryption Trends Study which revealed its use grew from 41% to 47% of organisations last year. 

How we did 

Sadly, our hopes of encryption taking the business world by storm in 2020 proved unfounded. It’s not all bad. Adoption has increased: Entrust’s 2020 Global Encryption Trends Study lists 48% of businesses as having encryption strategy ‘applied consistently across their enterprise’.

However, a 1% increase to 48% isn’t widespread adoption, nor is it nearly enough. Encryption is the simplest step a business can take towards protection from cyber threats.  Improving the cyber health of our society depends on its adoption everywhere. Here’s hoping 2021 will be better.

Start 2021 right. Protect your business from 98.5% of security threats by getting Cyber Essentials certified.

4. Robotic Process Automation (RPA)

Of all the things on this list, Robotic Process Automation (RPA) is the one most likely to spark the imagination. So, was 2020 the year that businesses started automating in earnest and transferring tasks to our new robot masters?

How we did 

In short, no. RPA did continue to grow in popularity, with its market revenues projected to have surpassed $2.9 billion worldwide this year. And it will probably continue to do so – Grand View Research predicts a 40.6% annual growth rate in adoption between now and 2027.

However, the firms using RPA tend to be at that enterprise end of the scale. RPA is expensive and we’re a long way from it being affordable for smaller businesses. So, for the time being at least, the robots aren’t coming to an SME near you. 

5. The next wave of GDPR fines is on its way 

2019 was the year that regulators began to really flex their muscles on GDPR, doling out fines to some of the World’s largest corporations. So, naturally, we expected 2020 to deliver more of the same. 

How we did 

If anything, we underestimated this one. 2020 has been a bonanza of GDPR fines. First, Google was fined £44 million by French regulator CNIL for its breach of GDPR rules – by far the biggest fine we’ve seen yet. Then retailer H&M was hit with a £31.5 million fine by German regulators.

These were just the two highest-profile cases. Over 220 fines were handed out for GDPR violations in the first ten months of 2020, totalling more than £158 million. On top of this, July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced.

July 2020 saw the highest number of fines issued in a single month since the GDPR was introduced.

So it’s clear that 2020 has been the year that regulators across Europe rolled up their sleeves and got tough on GDPR. Despite this, only 20% of US, UK, and EU companies are fully GDPR compliant. And, with all the uncertainty surrounding GDPR and Brexit, we expect 2021 to continue in the same vein.  

6. Greater threats to cloud security 

The cloud is relatively old news by now, with most businesses moving away from using physical servers sometime in the last decade. However, knowledge of how to properly secure data in a cloud has lagged far behind adoption for a while now. So we predicted 2020 would be the year that hackers began to exploit the cloud’s vulnerabilities. 

How we did 

Although cloud data breaches have been a feature of the technology since its inception, 2020 will go down as the year that businesses became much more conscious of the risks. A report from Ermetic, published in July 2020, revealed that 80% of firms surveyed have suffered some form of cloud data breach in the previous 18 months. 

This is reflected in the number of high profile breaches we’ve seen this year, with Mariott, MGM and video conferencing software Zoom all suffering data hacks.

7. 5G and IoT devices on the rise

Everyone in the tech sector has been predicting the rise of 5G and IoT devices for a long time now. Were you to delve deep into your internet history, we’re confident you’d find it on many end-of-year predictions lists as far back as 2016. With that in mind, was this the year that 5G finally arrived on the scene?

How we did 

Let’s tackle 5G first. Unlike previous years, 2020 really did see the rollout of 5G, at least partly. Despite the controversy and political power struggles caused by the UK deciding to ban Chinese firm Huawei, 5G networks are now available in some locations across the UK. We’re still a long way from a nationwide rollout and the technology comes with problems to be ironed out, but the first shoots of a 5G-backed nation are there and growing. 

As for IoT devices, they continued their inevitable march to ubiquity. Experts estimate that the number of active IoT devices installed in 2020 reached 31 billion. This represents an 8 billion rise from 2019 and many are predicting a similar increase in 2021.

8. The cybersecurity skills gap

The Department for Digital Culture, Media and Sport (DCMS) defines the cybersecurity skills gap as businesses ‘lacking staff with the technical, incident response and governance skills needed to manage their cybersecurity.’ And it’s been a growing problem in the UK and across much of the world ever since businesses began to move their operations online.

We thought that it would become one of the defining trends of 2020. Were we right? 

How we did 

The cybersecurity gap is hard to assess in a period as limited as one year. The situation certainly didn’t improve much in 2020 but it’s hard to say whether it got any worse. The UK government did at least try to promote jobs in the sector, even if the execution was crass and very poorly judged.

However, real change in this area is likely to take years, if not decades. So for the meantime, small businesses are best served by trying to find ways around the talent shortage. For more on that, check out our October blog on the subject.

10. Employee training for threat awareness

Last on our list, threat awareness training for employees. One of the biggest trends sweeping cybersecurity in the last few years has been a growing realisation that employees have an active role to play in keeping their workplaces safe. Let’s consider how that developed in 2020. 

How we did

Like a lot of things on this list, employee awareness has been heavily influenced by the COVID-19 pandemic. As many businesses were forced to work remotely, with employees using their own networks and devices to access company data, good cyber hygiene has become more important than ever. As a result, we’ve seen more and more businesses taking staff training seriously.

Meanwhile, we’ve been busy doing what we can to help. We’re all set to release a brand new set of interactive cybersecurity training modules, downloadable through the CyberSmart platform. It’s our hope this will help make 2021 a little more cyber secure than 2020.

All in all, we’re happy with our predictions for 2020. There was a lot we couldn’t have foreseen and some of the trends we predicted didn’t take off quite as expected. But, on the whole, 2020 saw some big steps towards increased cyber awareness and hygiene in the UK. Stay tuned for more of the same in 2021. 

Looking to improve your cybersecurity but not sure where to begin? Start 2021 the right way, by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button