Spear-phishing tactics are changing — how can enterprises stay ahead?

Spear phishing attacks continue to be a major cause for concern for most organizations today. Compared to other phishing scams and malicious emails, spear-phishing attacks tend to focus on specific targets. More often than not, these targets represent important individuals at an organization.

Primarily, most companies would feel that it would be the C-level executives that are often targeted. However, cybercriminals are also targeting other employees as well. For example, company secretaries and administrative staff, who often also have access to key sensitive data in an organization.

Verizon’s 2021 Data Breach Investigation Report showed that 85% of breaches involved the human element, whereby phishing attacks were present in 36% of breaches in their dataset. The report also stated that business email compromises have doubled, with web-based emails becoming a favorite target. Despite rising education and awareness on phishing emails, phishing templates have a wide range of click rates, from no-clicks to click rates of over 50%.

While most C-level executives may be aware of spear-phishing emails and how to deal with them, especially since many would have gone through sufficient training exercises by now, other employees may not have the same understanding. Frankly speaking, how many of us today actually look at who an email is from? If the content and title seem convincing enough, the majority often open up the email or click the links attached to it. While some of us may immediately shut it down the moment we feel the link is suspicious, most times it is hard to detect.

Microsoft recently announced how cybercriminals are changing tactics in phishing. In some phishing campaigns, cybercriminals use multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions.

“During our year-long investigation of a targeted, invoice-themed XLS.HTML phishing campaign, attackers changed obfuscation and encryption mechanisms every 37 days on average, demonstrating high motivation and skill to constantly evade detection and keep the credential theft operation running,” said Microsoft in a statement recently.

According to the FBI’s Internet Crime Report 2020, there were 241,324 phishing incidents in 2020, a figure that has doubled from the previous year. These incidents have resulted in losses amounting to over US$54 million. Globally, the losses could be significantly higher — and it does not include figures of incidents that were not reported as well.

As usual, financial reasons motivated cybercriminals to pick their target. In most cases, phishing attacks were targeted to get employee credentials and using them to gain access to mail accounts and web application servers.

Dealing with spear phishing

While there are many solutions available in the market today that can give added security to organizations, the most important way of dealing with any email-based threat goes down to individuals themselves.

Employees at all levels need to understand what phishing emails are, and how disastrous they can be to a company. They need to be trained how to spot suspicious emails, and most importantly not to simply open any attachments they received, as most malware comes from attachments in phishing emails.

Employees also need to have different passwords for different programs they use. They should never use the same password for all their work logins. Companies should also look to enhancing multi-factor authentication which includes biometric verifications.

As spear phishing is a targeted attack, employees should also be vigilant in what information they share online, especially on their social media sites. Cybercriminals often spent a great deal amount of time studying their victim behaviors and habits online before launching an attack on them.

Email authentication software, phishing attack response tools, and other monitoring tools can also help reduce spear phishing attacks. However, it will all still eventually go down to the weakest link in any cybersecurity, which is humans.