There is something in common between cyber-attacks targeting companies. Most of them start silently with a carefully crafted spear phishing email. Though the messages look quite ordinary, they contain infected files or malicious links and are addressed to specific employees within organizations.
Phishing emails targeting common users are usually not very “personalized” and can have typos, old logos and other innacuracies. When it comes to corporate targets, phishing attacks follow thorough collection and analysis of information on the target. Cyber criminals study the target’s communications, possible areas of responsibility and authority. Then they create a plausible message with enough details to make the recipient trust it. Phishing targeting particular companies or users is called spear phishing.
The number of companies targeted with spear phishing emails is constantly growing. Targeted users receive carefully designed messages that make them take the bait. They enter their credentials and thus compromise access to their corporate networks and data. Spear phishing emails can also contain malware. It can launch after a certain action is performed or sniff and log everything the victim types on the keyboard.
Spear phishing campaigns require more time and money than traditional mass phishing campaigns. However, the investment usually pays off, if attackers succeed.
Collection of information
Cyber criminals start the attack preparation with collecting information from public sources. They analyze the company’s profiles on social networks, job sites and employees’ accounts. The more relevant data they collect – the higher chances for the attack to succeed.
To verify authenticity of the collected information, the attackers can call or send a message. They can even exchange emails with the victim or other contacts in the company for a while. It also allows them to find out some helpful details. For instance, the software version in use, IP addresses or antivirus program, that they discover during a phishing call or extract from the headers of the email messages.
To create a realistic phishing scenario, attackers can register a fake domain similar to the corporate website, mail subdomain CRM system, or another resource.
The main attack vectors are like those of the mass phishing attacks. They include messages with links or attachments, claiming to be notifications from legislative or executive authorities, court decisions, mail delivery errors, invoices or anything else.
Phishing emails can intentionally contain errors in displaying content to force the person to open a link in the browser. The fake email can also lead to a well-known, but compromised resource.
Today attackers use sophisticated techniques to convince the victims to follow fake links and unwittingly leave valuable data to attackers. Scammer can outsmart even experienced internet users.
To protect themselves from spear phishing attacks, companies can conduct cyber security trainings for employees. Any corporate team – especially non-IT – should know how to verify content reliability, control the address bar while browsing, check the web site certificate validity and spot out phishing emails and calls.