Phishing describes a form of social engineering where a person is tricked into thinking a scam is real, usually by impersonation. For example, a scammer might send an email telling someone that their order of 50 iPhones went through, and if they have any questions, to call a number at the bottom of the email; when the person calls, they’re pressed for information like their shipping address, their name, or their credit card number. Of course, there was no iPhone order – the scammer is impersonating Apple to borrow their credibility! Once the scammer has the info they need, they might use it to steal the target’s identity, or commit credit card fraud.
While phishing still catches out a huge number of people each year, it’s also not the most elegant approach to stealing data. There are a number of skill checks the target must fail to make them viable. Firstly, their email program must fail to filter an email from the scammer as spam, so they actually see it. Once they actually see it, they must then fail to realize the email is a fake – whether that’s because they checked their bank balance and didn’t see a charge, or because Apple doesn’t sell regular people XX iPhones at a time, most phishing emails stop working either at the spam filter or here. After they’ve failed that, it’s likely they’ll also fail to call Apple support directly and instead use the phone number included in the email. Someone asking for their credit card info must then fail to be suspicious to them, completing the scam.
You may notice there are layers here where people are more likely to fail than others, and depending on the content, the initial email may or may not weed out the people who will stop failing some time around steps two or three. Scammers then started adapting their strategies to fix this, limiting the amount of time they’d have to invest in the less automated portions like the second call to “Apple Support”. One of these methods was to start littering the email with random garbage and typos to filter people who’d figure out the phone call but not the email, leaving them just the people who didn’t realize the email was fraudulent even with the typos, people who’d probably fail the phone call as well.
Another method was to invest more effort, instead of less. This is called spearphishing!
What is Spearphishing?
Spearphishing is a type of phishing designed for a particular target. Depending on the type of scheme being attempted, the actual investment into research and deception will go up. At the base levels, where a spearphisher is just trying to get someone in the company to open an email and download an attachment, investment can be relatively low, even for spearphishing. If, say, someone is trying to get a business’s Accounts Payables expert to download a malicious file, they may try to do so by posing as a common industry vendor, and sending in an “invoice” as a .docx file, the kind of Word doc that allows for executables. This is not a random email from “Apple”, nor is it some outrageous amount of money designed to make the target panic, it’s an invoice designed to slip under the Payables person’s radar as ordinary and routine. Heck, depending on their goal, they may simply send in a PDF with a small amount on it to see if they can just grab a bit of ‘free’ money out of an unverified invoice for work or parts they did not actually do or sell! It really can be that simple.
Avoiding It
Given they are trying to get malware on the Payables device, the employee working for Payables is simply not going to be vigilantly looking out for scams for every single email they open and every single PDF or .docx they download. It simply is not possible: people get fatigued and start making mistakes, and Spearphishing is deliberately doing its absolute best to hide every single potential red flag. So how do you prevent malware if the employee genuinely cannot tell whether a .docx file is from a legitimate vendor or not?
A fully protected computer is a good next step, and a quality one designed for whole-network protection like Huntress can usually either stop malware before it becomes active, notify you that something needs attention urgently, or isolate a computer on a network if it can’t do the first thing. Heck, the built-in Windows antivirus is actually pretty good by itself, given employees actually read prompts when they appear and don’t try to open flagged files in spite of warnings. The one caveat there is that the computer’s Microsoft OS has to be fully up-to-date for that to be true, because many scams are relying on devices with the sort of small security gaps that are patched during updates.
But how about the no-malware-required spearphishing? What about that small invoice for ‘consulting’ that never actually happened?
Social Engineering
It’s a common trick: act like you belong, and people will treat you like you do. Act like you have a right to ask for some information or some money, and people will hesitate to question it. It’s worked to such scale as selling people a bridge that the salesperson simply claimed to own! More recently, the Louvre, one of the most well-known museums in the entire world, recently had French royal jewelry go missing in the middle of the day, because security was lax (the Louvre had reportedly been short-staffed for years) and the thieves were dressed as builders. They walked in, grabbed what they wanted, and then walked back out.
It’s just as simple for phishers, if they can pull off the casual confidence they need to make the scam work. Make a request that would be more work to verify than makes sense for the amount being requested (work is usually something vague here like ‘consulting’ for an hourly rate) from a professional-looking email with a professional-looking format. A typo-free and correctly capitalized subject line, and a signature line with a stolen photo of someone who looks trustworthy can do a lot of heavy lifting here. Catching them out when everything looks right, except for the transaction itself, is difficult by design!
There’s another way to trick people using this method too – instead of playing a third party sending in a new invoice, playing a member of the original transaction can also net some cash, or some data. Spearphishing excels here because successfully pulling this off requires successfully impersonating someone so well that even when other red flags are present, the scam still goes through. This means naturally that research is needed alongside confidence.
One scam can look like someone with a plausible-sounding Gmail or Yahoo account emailing into IT during off hours, claiming they’re an employee, and they needed to get into the system urgently and don’t remember their password because it’s saved to their browser at work. This sounds plausible, and if IT is not doing their due diligence, they may accidentally hand over a new password to the scammer, something the actual employee won’t notice until the next day. The urgency can be a double-edged sword here: if the problem is so huge they cannot wait til tomorrow to fix it, then IT feels rushed to ‘fix’ the issue, maybe before checking in with a call. At the same time, if the problem is that urgent, then the employee will surely be able to handle a phone call at midnight!
Similar schemes using the plausible personal Gmail trick can rope in people who theoretically wouldn’t have addresses that are known outside the organization, and since these are not typically phrased very urgently, they’re less likely to get a phone involved. An internal HR role in a big enough company would be dealing entirely with insiders. Someone who can figure out the organization’s email naming scheme might successfully guess this person’s email, and with their plausible Gmail account, they might just manage to get a paycheck routed to the wrong bank. Since nobody is supposed to know their address, that plausible Gmail suddenly has a lot more credibility! By the time the person who’s been impersonated realizes they don’t have the money, recalling it is usually a BIG pain if it can even be done at all.
When an email seems phishy, calling a number on file (NOT in the email) to confirm the person on the other side is actually wanting whatever they’re requesting (an address change, electronically wired checks moved to a different bank, et cetera) can prevent the plausible Gmail attack vector. Remember, scammers are creative – there are more ways than the ones listed here to try and get in. With AI, even calls may some day be obsolete! If an employee posts videos online, it takes shockingly little voice data to make an AI tool out of their voice. Passwords or PINs known only to the people handling sensitive data is one measure companies are taking to avoid leaks!
