Phishing emails are still one of the most widely used attack vectors. Threat actors create a convincing pretext in emails that dupes victims into revealing passwords, downloading malware, or unknowingly initiating fraudulent transactions. This pretext exploits human behavior and psychology.
Many of today’s successful phishing campaigns are more sophisticated and targeted than traditional mass phishing emails, which were usually sent to many people at once in the hope of fooling one person into taking a desired action. Now, spear phishing is the norm; these emails see threat actors deliberately focusing on specific individuals and tailoring messages to increase the likelihood of deception. This article provides a complete guide on actionable tips for spear phishing defense.
The Growing Spear Phishing Problem
Before delving further into some spear phishing defense tips, it’s worth highlighting just how prevalent and damaging the problem of spear phishing is. In one report, 65 percent of known threat groups were found to be using spear phishing emails as their most popular avenue for initiating cyber attacks. The first quarter of 2022 alone saw over 1 million phishing attacks with a 7% increase in credential theft phishing. And with successful spear phishing attacks costing businesses millions of dollars, comprehensively defending against these targeted emails should be a top security priority for CISOs.
Spear Phishing Defense
Here are some tips for spear phishing defense covering users, technology, and post-attack strategies.
Improved User Training and Awareness
User training and awareness needs to improve beyond the typical phishing modules that educate about the signs of mass phishing campaigns (e.g. untrusted email addresses or obvious spelling/grammar errors in the body of the message). Detecting spear phishing emails calls for closer attention to finer details, including:
- Imitating legitimate email addresses: Threat actors often register typosquatted domains that only have slight misspellings or deviations from legitimate corporate domains. Carefully examining email addresses can weed out many attacks.
- A sense of urgency: Spear phishing emails regularly prey on urgency, with the threat of negative connotations for the victim if they don’t download a link, reveal information, or initiate a transaction ASAP. Users should learn to treat urgent requests that come out of the blue with the utmost suspicion.
- Unfamiliar tone: Impersonating someone known and trusted by a target is one of the main ways that threat actors succeed with spear phishing attacks. An unfamiliar tone, such as being overly casual or formal compared to usual should spark immediate warning signs doubting the authenticity of the email.
Cybercriminals use spear phishing because a high level of personalization casts aside doubts in the minds of targets. But shifting education to the more subtle signs of spear phishing ensures users are prepared to think critically about the validity of emails they receive even when they seem to come from a trusted source.
Ideally, ongoing awareness through flyers dotted around the office and newsletters can reinforce these warning signs. Simulated attacks that incorporate spear phishing emails can also prove invaluable in providing users with an acid test of their susceptibility to these scams.
Advanced Security Solutions
Another reason spear phishing emails tend to work is that standard email security and other solutions aren’t effective in filtering out these messages before they end up in employee inboxes. Luckily, several technological developments in recent years have led to innovations in security, with more advanced solutions using capabilities such as:
Email security solutions powered by machine learning progressively improve their performance at detecting phishing emails by using training sets of thousands of emails, links, and attachments. Machine learning models can learn to classify targeted emails based on either examining URLs or examining HTML code in the web pages that these emails direct users to.
Automated scoring based on the email content, the link, and the risk/reputation of the sending domain can help to detect spear phishing emails that use look-a-like or typosquatted domains. These solutions then determine if a given email passes a pre-defined risk threshold, which leads to either removal of the email or quarantine.
Innovative client-based solutions use computer vision to help defend against spear phishing emails that make it past blacklists, perhaps because there is no known negative reputation associated with a newly registered lookalike domain. When a user clicks on a link in one of these emails, computer vision is able to visually analyze the page and determine whether it’s legitimate or a phishing site.
This email authentication protocol was first published in 2012 with the intention of combating fraudulent email at scale. Surprisingly few businesses implement it, so it’s worth seeking out a solution that performs DMARC checks.
These checks help to identify emails with spoofed headers that users may not necessarily notice. When a DMARC check flags emails coming from sources that failed authentication, your solution can then filter or quarantine email messages before users receive them.
Another related type of solution worth considering is browser isolation, which runs web browsers inside a sandbox that’s isolated from the rest of a user’s system and from your wider network. Since this sandbox is cut off from the rest of the system, any malicious links or downloads opened by a user get confined to that sandbox environment.
It is still possible for there to be instances of spear phishing emails successfully bypassing security controls and persuading targets to take action. Especially if there are gaps in your security stack or your user training. If an employee transfers money unknowingly to an account under the threat actor’s control, the best hope is to contact the relevant bank and attempt to cancel the transaction.
Far more common, though, is that an employee discloses their login credentials for a business service or application after clicking the link in a phishing email. Cybercriminals can command a high price for stolen credentials on the dark web, where they often end up re-sold for other threat actors to use in different types of cyber attacks. Effective post-attack protections for credentials should be able to identify leaked credentials before they get used for other malicious purposes.
When spear phishing emails lead to users directly downloading malicious attachments and opening them on their systems, malware sandboxes integrated with email security solutions and tools can help to prevent malware from spreading to other systems.
Flare Data Leak Monitoring
Flare’s digital footprint solution scans the dark, deep, and clear web for leaked or stolen account credentials that you wouldn’t otherwise know about. Employees often disclose these credentials unknowingly in spear phishing emails, and they put your business at risk of further compromise.