Could your employees detect and deflect a spear phishing attack?

By Scott Greaux

You can’t swing a dead cat without hitting a company that’s been linked to a phishing attack. Organisations such as RSA, Epsilon and the US’s Department of Energy, are just a few that have publicly held up their hands to falling victim to an attack. And it will get worse. Gartner recently stated in its 2012 Magic Quadrant for Secure Email Gateways (SEG) report that "Phishing attacks continue to oscillate, while more targeted phishing attacks increase.” Why are spear phishing attacks increasing and what can organisations do to prevent falling victim?

What is Spear Phishing?

Phishing is a technique utilised by hackers to gaining access to the corporate network in order to acquire sensitive information such as usernames, passwords and R&D information etc. They do this initially by masquerading as a trustworthy, legitimate electronic communication but with a sinister intention.

Spear phishing takes it one step further. Instead of sending out a blanket email to millions of addresses in the hope that they’ll get lucky, criminals will pick a handful of individuals within the company they want to target, and carefully tailor the message so that it is relevant to the recipient or uses emotions such as fear, reward and curiosity to get the recipient to react. In the highly-publicised attack against security firm RSA, the spear phishers sent two different phishing emails to a group of employees over the course of a few days. The subject line simply read “2011 Recruitment Plan.” Just one person’s interest was piqued and they were duped into opening the message and clicking on its attachment unleashing a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability. The rest, as they say, is history.

That’s an example of a spear phishing attack against one specific organisation, but whole sectors have also been targeted. Twelve months ago it was confirmed that the chemical, defence, and other sectors were hit with a spear phishing campaign designed to steal R&D and other information. Named ‘Nitro’ the attackers’ focus was information about chemical compounds and various advanced materials used by the military. In the end, nearly 100 computers were affected and the attacks could all be traced back to a phishing email campaign.

Why Are They Effective?

There are two key trends driving the increasing effectiveness of spear phishing campaigns.

1) Unfortunately we’ve been misled:

Many have been led to believe that spear phishing attacks can be thwarted with technical controls, such as anti-virus software, etc., so less emphasis has been placed on educating users. However, as the public attacks last year proved, this trust has been misplaced. The end result is that many people don’t expect to receive anything in their inbox that they shouldn’t respond to so, when they do, they’re unlikely to be suspicious.

2) Arguably some of the credit has to be given to the criminals:

Just as marketing works when it is targeted, the same is true for a scam email and malicious individuals have realised this. Criminals will research, collect and cross reference information about an organisation, and the individuals who work there, and then tailor a message that they’d expect to receive. For example, in the Nitro attacks mentioned previously, when just a few emails were sent to an organisation the message appeared to be a meeting invite from business partners. When larger numbers were sent, they claimed to be a security update.

What Can Be Done?

Spear phishing attacks are performed by humans, against humans. For that reason, while software solutions exist, relying on technology alone is not enough. Instead, you need to employ a holistic approach – anti virus and filters that will remove more basic, generic attacks, combined with education that helps end users become sensitive to warning signs, and understand the correct process they need to report suspicious emails.

There are a number of typical tell-tale signs, both in terms of the sender and the content, that could potentially characterise a phishing email and it’s imperative that your workforce knows what to look for:


    • Do they know the sender, and is it the email address they would expect them to use? An email purporting to be from your CEO, but sent from a Gmail account, should always ring alarm bells.

    • Is the user expecting a message from the person? Would they usually encourage clicking on a link? And, if they are, do they seem genuine? For example, if you’ve not ordered anything then an email from UPS advising a shipment is being held at customs shouldn’t really ring true.


    • The content of the email can be a giveaway. One of the most basic reasons that phishing attacks work is that they prey on a user’s emotional response – fear, curiosity or reward, and emails that evoke strong emotions such as these should be considered triggers.

    • Is it too good to be true? If it says you’ve won an iPad in a company raffle, and you haven’t bought any tickets or the company doesn’t even hold raffles, then the chances are you haven’t.

    • Users should consider if an email is specific to them? Does it make sense? Although criminals have a lot of information about individuals they will still keep any messages generic to pique the interest of the recipient, and make them take action.

    • Perhaps it would be normal for your IT support company to request clicking a link to install a software update but, if it isn’t, then alarm bells should ring. And, if it is a link, is it an IP address that you can identify or is someone trying to appear genuine but actually the link directs to a false site?

    • And of course, while grammar has improved in recent years, mistakes are often an indicator that all is not as it seems.

While one of the points alone may not be conclusive, if an email ticks a number of these boxes then it should be treated with caution.

This brings me on to the next element – procedures:

    • Use an immersive training technique and send users a typical phishing email, and then provide anyone who falls for the scam with immediate feedback in the form of education. Conducting regular mock phishing exercises while varying the attack method, social engineering tactics (emotions) and themes will make users more aware and resilient to attacks that work on them. After all, you don’t learn to drive a car by reading a manual nor does everyone pass the test on their first go!

    • Users need to be routinely reminded of the need for caution when clicking links, or opening attachments. If they aren’t sure that an email is genuine they should be encouraged to verify with the sender using another channel, such as phone or face-to-face, before opening it.

    • Should a malicious email subvert your controls and land in a user’s inbox, then users need to know what to do with it. Rather than just delete it, not least because it might be legitimate, I would suggest it be forwarded to the person within the organisation best placed to determine its authenticity. Once the message has been examined, the user should be informed of the outcome, and why, so they can learn from the experience moving forwards

    • Share information with employees about the types of attack that have been received elsewhere in the organisation so others don’t fall foul

    • Display examples of phishing emails on the organisation’s intranet so a suspect email can be checked against others previously received

Spear phishing is a targeted attack but it can be prevented. As an enterprise you need to ensure your users get the messa
ge, and change their habits, so that they not only identify a phishing attack, but know exactly what they should do about it. By educating people they will do the right thing when faced with a situation because they’ll be conditioned to respond in a certain way. Otherwise you might find yourself impaled.

About the author

Scott Greaux is Vice President, Product Management and Services at PhishMe.

Scott Gréaux graduated from the Pennsylvania State University and has since held roles of increasing responsibility from application developer to CTO to President of a boutique marketing firm. Most recently Scott served as General Electric’s Deputy Chief Information Security Officer where he led key global initiatives such as Policy and Policy Frameworks, Security Awareness, Advanced Threat initiative coordination and Information Security metric reporting. During his tenure he was uniquely positioned to see the threat of advanced phishing techniques and developed a multi-faceted program to address the phishing risk in a large enterprise.

Scott brings his extensive experience and unique blend of business management and creative marketing practice to PhishMe where he works with customers to develop robust anti-phishing programs. Greaux also oversees PhishMe’s managed service offering, support operations and leads PhishMe’s Customer Advisory Board where he works with customers and industry thought leaders to align PhishMe features with the ever changing threat landscape.

About the company

PhishMe provides organizations the ability to train their employees and customers about the risks of spear phishing with just a few simple clicks. With over 3.5 million individuals trained since its launch in 2008, PhishMe provides a cost effective way to mitigate this challenge. The company has proven that its training can reduce the threat of employees and customers falling victim to phishing attacks by up to 85 percent. PhishMe is a leader in anti-phishing training and focuses on educating users on how to best protect themselves from the latest scams. Using PhishMe’s built-in templates and simple functionality, companies can emulate real phishing attacks against their employees within minutes. PhishMe facilitates and automates the execution of mock phishing exercises against the employees and provides clear and accurate reporting on user behavior. Most importantly companies are able to focus their training efforts on the most susceptible employees by providing immediate feedback to anyone that falls victim to these exercises. Additionally, PhishMe adds customizable interactive games to the suite of training modules enterprises can deliver to their staff and customers. PhishMe works with Federal Agencies and Fortune 1000 companies across multiple vertical market sectors including financial services, healthcare, higher education and defense.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s