Spear Phishing


Topics Covered

This section covers the following topics:

  • A case study regarding a well-managed spear phishing campaign

  • Understanding spear phishing, and how it is a substantial threat to any organisation

  • Learning about ways to educate an organisation about spear phishing

  • Reviewing a checklist that heightens corporate vigilance to protect against common spear phishing tactics by bad actors

To begin, let’s review a spear phishing campaign that was conducted for a university during 2019. While this was conducted for an academic institution, the process is similar for any corporate entity.

Planning the Campaign and Releasing the Phish

It was an unusually cold February morning in New York City, with temperatures hovering around -25C. For a municipality that never sleeps, even at 3:15am, the frozen landscape was unusually muffled as heavy snow blanketed the byways and walkways below. But at Allendevaux & Company, the environment was neither cold nor hush, as the cybersecurity team of “white hats” or ethical hackers prepared to unleash their spear phishing campaign into an unsuspecting university campus in Switzerland, employed to measure the security posture of students and faculty in an effort to bolster awareness and vigilance.Would the campus pass the test or become another statistic, proving that the human component is the weakest link in an organisation?

Even though darkness would envelop NY for several more hours, the unsuspecting faculty and students across the Atlantic were enjoying the morning sun, filling their cups with hot brew, unaware of the test awaiting them. As the clock struck 9:30am CET, schools of phish were released into the wild, racing across oceanic fiber, intelligently targeting inboxes, iPhones and Androids of academics.Now it was only a matter of time, usually minutes, before the unaware would bite the bait that transformed their laptops and mobile devices into onsite weapons. One minute, two minutes, three minutes… “We have our first hit… Wait, there’s another… Hold-on, there’s yet another. Wow, look at the activity in less than five minutes; they’ve swallowed both the bait and the hook, and now we’re in,” said one of the cybersecurity team members.We’ll conclude this story after outlining these helpful points.

Quick Info: What is Spear Phishing

Spear phishing is a targeted attempt to steal sensitive information such as usernames and passwords, usually for malicious reasons. While hacking aims to accomplish the same outcome, usually by finding a vulnerability and forcing a door to open, spear phishing “tricks” the users into handing over the keys to the front door, meaning the main login to a cloud service, making it easy to walk into an otherwise vaulted information repository such as an online banking portal, an email platform, social media, or any other portal that users may log into to access services.

Understanding Spear Phishing

Beyond all forms of hacking, spear phishing is the most successful infiltration according to Symantec. For instance, did you know that 91% of all successful attacks are enabled by spear phishing? Spear phishing emails have improved tenfold in just a few short years, and the untrained eye cannot detect a well-engineered spear phishing campaign.Do you have someone in your business that sends emails to your employees regularly, perhaps distributing updates, noting changes to schedules, and posting other helpful information? Likely your community is accustomed to receiving emails from that person or from that email address. If a rogue email from the same address requested employees to sign-up for an upcoming all-hands meeting, no one may suspect the message as being foul, nefarious, or predatorial. Yet the link on the form may ask employees to checkmark yes/no to attend the event, then redirect employees to a familiar portal to log in.The portal, albeit rogue, may look the same as a real portal, prompting users to enter a username and password; and the unsuspecting users enter their username and password into the rogue portal. But it’s already too late; the credentials have now been captured by the hackers, who are quickly trying the same credentials across thousands of platforms, including Facebook, Instagram, Gmail, Yahoo, Hotmail, Outlook, wireless phone providers, banks, social media accounts and much more.Sadly, in this hypothetical, the spear phishing plot worked, enabling hackers to access systems with speed. With each successful takeover of a Gmail account or social media account, the hackers gain even more information about the user’s identity, enabling access to even more systems, sometimes taking control of two-factor authentication safeguards. It’s at this point that a user has lost both the battle and the war, and usually suffers great loss as well.

How You Can Protect Your Organisation

There are actions your business can take to mitigate the weakest link and heighten your security practices. The common misconception is that security is something the IT department does, but that’s only part of the equation. Successful security starts with top leadership at any organisation. Accordingly, here are steps your organisation can take to defend against the weakest link.

Step 1: Promote Security from the Top Down

Security starts with the leadership of each business. At Allendevaux & Company, if a business’ leadership does not drive security from the top down, we will not work with them, because it’s a lost battle before we start. This is true whether it’s an enterprise, a government institution or a non-for-profit. To give an example, an organisation cannot pass its ISO/IEC 27001 audit if top management does not demonstrate a strong commitment to a security-minded culture, which brings us to step #2.

Step 2: Create a Security-Minded Culture

After top management drives and supports security initiatives, a successful environment requires the involvement of everyone to drive security. While this may sound obvious, it’s important to ensure passwords are not written on post-it notes or taped underneath keyboards. It’s important to ensure workstations are not left unlocked when unattended. It’s a “best practice” to conduct background checks before hiring new employees. These practices, and many others, are part of driving a security-minded culture.

Step 3: Encrypt Regulated and Sensitive Data

Likely your organisation collects forms at some point containing sensitive information: passport numbers, financial disclosures, medical information, etc. Encrypt this information to protect it from prying eyes. Anything that a spear phisher might target, encrypt it: workstations, laptops, cloud services, external drives, USB sticks, etc. Use technology like bitlocker and others that permit encryption across an entire volume; or employ file level encryption at a minimum using WinZip, 7-Zip, Veracrypt, Trucrypt, and others.

Step 4: Promote Multifactor Authentication

Encourage your organisation to enable multifactor authentication, even with personal, non-business accounts. Some of your organisation will be glad they did! Perhaps a hacker is able to discover a person’s Gmail credentials and can log into a employee’s email. Yet when multifactor authentication is enabled, the hacker will not be able to change the password without also having access to a second form of access validation (such as another email account, or text messages to a person’s phone, or an authenticator app, etc.).

Step 5: Employ DMARC Technology

When receiving an email from an address with which you’re familiar, such as user@yourwebsiteaddress.tld, that doesn’t mean it really came from a legitimate individual. Too often, hackers spoof the FROM field and send messages using whatever address they choose. But Domain-based Message Authentication, Reporting & Conformance (DMARC) technology uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to analyse inbound messages against a database. When inbound emails do not match what’s expected, DMARC rejects the message and sends a report to the security administrator. Google, Microsoft and other email platforms support this technology, so ensure it is enabled and setup correctly by your administration.

Step 6: Drive an Awareness Campaign

International best practices across security programmes such as ISO/IEC 27001 require businesses to continually drive awareness throughout the enterprise. Why? Because people need reminding. Recently, even NATO was hacked when a senior official fell prey to a spear phishing ploy, causing top secret information to be compromised. Awareness comes in many forms: sending monthly news bulletins, creating log-in banners, setting up screen saver reminders about the importance of security, affixing security-minded posters in public places, sending out short and entertaining video clips, and delivering security remarks at townhall meetings.

Step 7: Educate Your Business with Training

Awareness is not training, and training is not awareness. As noted, awareness messages are short reminders about the importance of remaining vigilant. In contrast, training involves the impartation of knowledge from a curriculum. Security training at companies requires all new employees to take an online, half-hour security training course that teaches coursework with clear objectives. In some cases, training is followed by a short assessment (or quiz) to test an individual’s understanding and retention of the material. This is recommended for all of your company’s employees. Training is normally updated annually, because the curriculum changes every 12 months due to the quickly evolving landscape on this front.

Step 8: Conduct a Spear Phishing Campaign

The true test of an organisation’s weakest link is to conduct a spear phishing campaign. Many organisations like to do this earlier than later, because conducting a spear phishing campaign measures improvement over time and demonstrates continued cultivation. But remember this: conducting a spear phishing campaign is complex, and it is beyond the scope of this write-up to provide guidance about how to do it ethically and properly. It’s best to employ a certified, ethical hacking organisation. You can employ us at Allendevaux & Company or you can use another ethnical hacking firm, but either way, consider making this practice part of your overall programme. There’s no better way to drive awareness and foster vigilance than by conducting a legitimate spear phishing campaign. The results are always an eye-opener to all involved, resulting in a heightened security-minded culture.

Concluding Thoughts

As the snow continued to fall throughout the day in New York City, the cybersecurity team was astonished that no one from the Switzerland campus reported the “fishy” spear phishing activity to anyone. In fact, the campaign ran its course as 70% of students and faculty alike clicked on the link. Furthermore, more than one in three individuals provided their secret access credentials to the university’s platform. Since faculty and students used the same password across other systems, it permitted white hackers to gain further access to numerous online services including email, bank accounts, campus services, passport numbers, medical records, Facebook, Snapchat, Instagram, Youtube, Qzone, Twitter, and others. No one realised what had happened all day and into the next day, until they were eventually told.Needless to say, when the campus held a townhall meeting, this was a topic of discussion on the agenda. Hearing what had unfolded, and how one-out-of-three colleagues had fallen prey to the organised scheme, both students and faculty alike were stunned. Individuals were encouraged to change their passwords immediately, told to enable multifactor authentication, and taught how to practice security vigilance. Since that time, the campus has been transformed into a likeminded community, understanding the importance of security vigilance practiced individually and corporately.It’s true. Security is more than something the IT group does; it requires the vigilance of everyone. But it must start with you and include your company’s top management. Top management is the driving force for this effort, protecting not only the identities of employees and customers, but fostering a security-minded culture that will last a lifetime for everyone involved.

A Brief Recap Before You Leave

  • Instead of forced entry, spear phishing aims to trick users into giving their key to hackers.
  • You don't have to take the bait. Spear phishing can be avoided if you know how to look for it.
  • Security isn't something that's just for IT. Security is a culture and needs to flow from the top down.
  • Remember, the goal isn't to make things difficult for people in your organisation. The goal is to protect your people.



    We know there was a lot of information mentioned above. If you would like assistance with what you've read and want to put it into practice, feel free to contact us and we can discuss further details.

    Person Waving.png