Spear phishing: The targeted threat executives need to know about

While phishing can be done on a mass scale, sending emails to purchased or stolen email lists – there is a similar threat that is far more precise: spear phishing.  

Unlike its broader counterpart, phishing, spear phishing is a more targeted form of attack. Here's what you need to know.

What is spear phishing?

Unlike traditional phishing, which is more of a spray and see what sticks approach, cyber criminals focus on a specific individual or organisation. These emails are meticulously crafted, using detailed information about the target to make the message appear legitimate and convincing.

Why is spear phishing more dangerous?

Personalisation: Spear phishing emails often use personal details, such as the target's name, job title, or recent activities, to craft a believable narrative. This level of customisation can make it challenging for recipients to distinguish between a legitimate email and a spear phishing attempt.  

High-value targets: Spear phishers often target individuals with access to sensitive information or financial resources. This includes c-suite executives, managers, and other high-ranking staff such as finance and accounting staff. A successful attack on such individuals can lead to significant financial losses or unauthorised access to confidential data.

Sophistication: Spear phishing attacks are often backed by thorough research. Cyber criminals might study a target's social media profiles, company websites, and other public sources to gather information. Criminals use the same OSINT (open-source intelligence) techniques that investigators use, but they use it to get to know the victim and their movements.

The risk of digital impersonation

Spear phishing often manifests through Business Email Compromise (BEC) and impersonation tactics. In BEC attacks, cyber criminals compromise or mimic corporate email accounts to deceive employees, partners, or vendors into executing unauthorised transactions or revealing sensitive information. Impersonation, on the other hand, involves the attacker posing as a trusted individual, such as a colleague, executive, or vendor, to manipulate the target into taking a specific action.  

These tactics exploit the trust and familiarity inherent in professional relationships, making them particularly effective. The tailored nature of these attacks, using personal details, makes them challenging to detect and underscores the importance of vigilance and continuous security awareness training.

Why should executives be particularly concerned?

1. Access to sensitive Information: Members of the c-suite often have access to a company's most sensitive and therefore, valuable information. This makes them prime targets for cyber criminals.

2. Reputation at stake: A successful spear phishing attack can lead to significant reputational damage. If an executive falls for such an attack, it can erode trust among stakeholders, customers, and the public.

3. The Domino effect: If an executive's account is compromised, it can be used to launch further attacks within the organisation. This can lead to a cascading effect, where multiple individuals or departments become compromised, and can lead to an organisational shut down.

The overlooked threat to executive assistants (EA) and admin staff

While the C-suite holds the keys to the kingdom, EAs and administrative staff are the gatekeepers. They manage schedules, communicate on behalf of executives, and often have access to sensitive information, and even their accounts. This makes them attractive, sometimes more so, targets for spear phishers.

Access to Sensitive Information: EAs and admin staff often handle confidential documents, emails, calendars and other forms of communication.  

Trust and Communication: Given their roles, EAs and admin staff are trusted by the C-suite. Cyber criminals can exploit this trust by compromising the EA's account and sending malicious requests or information to executives. They could even ask the EA to send the request on their own behalf to the executive, meaning they are less likely to question it, as it’s business as usual.

Volume of communication: Due to the sheer volume of emails and requests they handle daily, EAs and admin staff might overlook subtle signs of spear phishing attempts.

How to protect yourself and your organisation

Education and Training: Regularly train and educate employees about the dangers of spear phishing. Use real-world examples and conduct phishing simulations to keep everyone vigilant.

Examine your digital footprint: What clues are you leaving online? Try not to post your every move on social media, check that your out of office auto reply doesn’t give specific information.

Multi-Factor Authentication (MFA): Implement MFA wherever possible, especially on BYO devices. This adds an additional layer of security, ensuring that even if login details are compromised, unauthorised access is still prevented. Even better, ensure that all devices are enrolled in a mobile application management (MAM) policy.

Email Filtering: Use advanced email filtering and triage solutions that can detect and block phishing and spear phishing attempts.

Spear phishing is a significant threat, as organised cyber criminals have the resources to put the time into the research and execution required to succeed. Technical safeguards are a great first step, but security awareness and knowing how to spot an attempt will be an even bigger barrier to the phishers attempts.

‍