05/16/2022 | News release | Distributed by Public on 05/16/2022 08:20
At this point, most organizations, and even everyday users, are familiar with phishing. Many have received those email messages claiming to bear a prize or warning of an imminent account lockdown, then asking them to click on a link or download a file. The standard phishing scam usually involves spamming email boxes by the thousands to get users to send money, reveal personal information, or unwittingly download malware onto their company's network.
Spear phishing, also known as business email compromise (BEC), is a more specialized attack that uses personal information, gleaned from online sources such as social media and caches of stolen identities sold on the Dark Web. What makes spear phishing attacks differ from standard phishing attacks is the use of emails that impersonate a colleague or client, sometimes including a familiar-looking address or website.
"Whaling," also known as CEO or CFO fraud, is an even more specialized kind of spear phishing using emails that claim to come from top company officers or other "big fish." These might ask for sensitive data or request payment of a fake invoice or a wire transfer to an account controlled by cybercriminals.
While most phishing casts a wide net that relies on volume emails, hoping for a few unlucky takers, spear phishing, as the name implies, is a more targeted crime. Phishing emails can often be spotted easily by checking the sender's email address; a string of random letters and numbers is a dead giveaway.
Not so with spear phishing, which makes sophisticated use of social engineering for BEC. These attacks rely on spoofing real email addresses or taking over unused email accounts of legitimate users - including emails of former employees that were not inactivated - to impersonate clients, colleagues, or vendors.
Spear phishing and BEC outcomes can be costly. Some attackers steal network access credentials in this way, then inject malware and ransomware into the organization's network. In other cases, attackers may intercept supplier emails to glean accounts payable information and divert payments to their own accounts. They may spoof the addresses of top managers to send fraudulent emails. Or they may use compromised credentials to hijack company email accounts.
While standard phishing is a volume business, spear phishing goes big; cybercriminals use it as a tactic for stealing large sums or mounting ransomware attacks. Not coincidentally, some of the most damaging cyberattacks have been a result of spear phishing exploits.
Phishing has become a fact of life for organizations. Fully 96% reported being targeted by phishing attacks with malicious links or attachments last year, in Mimecast's State of Email Security 2022 survey. Spear phishing is not far behind, with 92% of survey respondents reporting BEC and impersonation attempts.
BEC is the costliest cybercrime in the U.S. Over $43 billion was reported lost to BEC scams from mid-2016 to the end of 2021, the FBI recently announced, which only gives a sense of the problem, since not all successful attacks are reported.[1] According to How to Reduce the Risk of Phishing and Ransomware, a Mimecast-commissioned report from Osterman Research, nearly half of the companies polled reported that phishing emails had caused malware infections and compromised their accounts. The survey found 53% of companies suffered a BEC attack that tricked at least one low-level employee and 28% suffered a BEC attack that tricked a senior staffer.
The pivot to remote work during the COVID-19 pandemic created a prime opportunity for cybercriminals, who used the emergency as bait in many of their messages and took advantage of security lapses among staff working from home. In 2021, the Mimecast Threat Center found employees worldwide clicking on malicious URLs inside emails three times more often than they had before the pandemic.
Stopping phishing and spear phishing requires a multilayered approach and buy-in across the organization, including:
The difference between phishing and spear phishing may come down to numbers - as in, high-volume, low-dollar phishing attacks vs. low-volume, high-dollar spear phishing exploits. But both threats present a real and growing security problem. Awareness training is still the first line of defense to prevent all forms of phishing, but security technology keeps evolving to defend in real time against both phishing and spear phishing. The important question is not phishing vs. spear phishing, but defending the organization vs. taking a chance. Learn more about Mimecast's defenses.