Spear Phishing in the Big Bad Ocean

August 19, 2016

If you’re a fish swimming around in the ocean, your survival requires constant vigilance and attention to the dangers lurking nearby. If you’re a business in the real world, your survival also requires constant vigilance and an awareness of the kinds of dangers that are ever present.

Lets take this analogy a step further. As a fish, lets say a delicious Sea Bass, you have to deal with the natural dangers of being a fish — e.g. the things that will try to eat you; such as other fish, birds, seals, whales, etc… Businesses deal with the same kinds of natural or environmental challenges — lets call these things competition, regulation, financial constraints, or technology constraints. Whether you are a fish or a business, you’ve got a lot to worry about if you want to survive.

Fish have this other problem though — highly intelligent creatures that don’t exist in their natural environment, but are still there to catch them, roast them on a stick, and finally devour them. People have been fishing for millennia, and have invented very creative ways to take a fish from the sea and put it on their dinner table.

The overall objective is to gather the most amount of protein with the least amount of effort, which means that people can concentrate on catching a lot of small fish at once (i.e. net fishing) or they can focus on catching one big fish at a time. There are a lot of ways to catch one big fish at a time, but for purposes of comparison lets pretend the best method is to use a spear. After all people do use spears to catch fish — just like this guy.

Not everyone can do it with this much gusto.

What we’ve seen most often in the world of hacking is “net fishing”. Hackers or scammers will send a ton of emails to a ton of people; hoping that some small percentage of those people will click through the links in their email and allow the bad guys to steal something. The type of scam, as you are probably well aware, is called phishing.

Also check out Mo’ Data Mo’ Problems to learn how to better protect your organizations from a data loss event.

More recently we’ve seen another trend in hacking and scamming — something that’s been dubbed “spear phishing”. Just as the real spear fisherman carefully seeks out and stalks his prey, ensuring that he has the right size and type of fish, the online “spear phisherman” meticulously researches his target and ensures an accurate strike with a calculated move.

Here’s how it works. A bad guy will find a target — usually an organization that is not too big or risky(you probably wouldn’t spear fish a great white) . They will then research the organization to understand who is involved and what types of activities are common internally. They’ll find information such as the names of customers, partners, or vendors. Then they’ll use this information to deliver a very targeted attack.

For example, using an email account that is very similar to the CFO’s, they will send the accounts payable department a message requesting $50,000 be sent immediately to vendor ABC for services XYZ. The fake CFO will provide explicit permission and direction, as well as create a sense of urgency, in order to get the payment sent as quickly as possible. They may even have a line such as, “I’m currently headed up to my cabin, so I won’t have cell/internet reception, but I forgot to get this payment out and it needs to go out today. Please make sure it gets sent. Use this email as authorization. Thanks, have a great weekend.”

A recent example of a successful spear phishing campaign, is this story of two counties in Utah that were taken for thousands of dollars each.

See also What We Should Learn From Cases Like Banner Health

As another example of spear phishing tactics, a friend of mine who works in private wealth management, shared an experience that his firm has encountered frequently. Often times their account representatives will receives emails or even phone calls from people posing as their clients. They will ask the account rep to quickly wire funds to a specified account, and will try to create a sense of urgency. Many times when the call comes over the phone, the fraudsters do a very good job of mimicking the voice of the firms clients. They will know intimate details about their clients, such as the names of their children and pets, and where they are traveling at the moment.

Luckily for my friend’s firm, they have yet to be deceived by these spear phishing attacks. The reason for their avoidance is actually not so much luck, but the controls they’ve put in place to prevent this very type of fraudulent activity. For this particular firm, the account representatives are required to follow certain protocol directly following any call or email requesting funds be moved; including a call to the client at the phone number on record, followed by a series of security questions only the client would know.

Organizations should take the same precautionary measures to ensure they to are not victimized by spear phishing. Requests for funds should be followed by controls to verify the requester, the payee, and the purpose of the payment. Employees should be trained to expect these types of phishing attacks, just as they are trained not to open or click on spam emails.

While using a net allows hackers and scammers to attack a much broader set of victims, using a spear allows them to focus in on one specific target. The information they have, will allow them to strike quickly and without warning. The best defense is to ensure your organization’s controls are designed such that a spear phishing attack causes red flags to go up quickly. These red flags should trigger standard protocols, which should in turn thwart the attack.

There’s plenty of competition to worry about in the ocean, so lets make sure we’re protected from outside threats and we can focus on what moves us forward.

Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes, Whistic is the creator of the CrowdConfidence TM scoring algorithm that leverages the wisdom of crowds to assess the residual risk of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.

For more information about Whistic, visit: https://www.whistic.com.

cybersecurity security hacking Article phishing

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.