Manager office expert
01 January 2021 / Elaboration

Even experts fear 'spear phishing'

Computer scientist Jeroen Baert is certain: everyone can be targeted by hackers. Even the experts who know how spear phishing works.

It often strikes me how, at times when most attention seems to go to clever exploitation methods with remarkable names (WannaCry! Heartbleed! Spectre!), it is often the comparatively rather mundane house, garden and kitchen methods by which malware can reach a system, that are still the most efficient hacker techniques. Yet they seldom receive much attention, despite the fact that, according to statistics, those are precisely the methods that should be watched more closely.

The technique of phishing, for instance, is as old as the internet itself but the exact way of tackling it, its volume and type of phishing emails are constantly evolving. Phished, with its comprehensive database, is in a unique position to measure and analyse the impact of phishing in a non-destructive manner, and confirms this tendency.

Most efficient tactic: how spear phishing works

It is not surprising that “Spear Phishing” – the specialised, intensive, crafted form of phishing – impacts targets the most. I am convinced that even the most vigilant users – including the experts to which I humbly count myself – can be successfully spear-phished. One unguarded moment and an attacker using a valid method of approach is enough. The most recent hacking scandal at Twitter – where a few employees were personally approached for many months – proves this. The fact that phishing taps into current affairs is to be expected as well and, in addition, one cannot avoid the effects of COVID-19 this year, of course.

An excellent example is the increase in successful phishing attempts by using the traditional “you have a parcel ready to be collected”. If many people are compelled to impatiently sit at home (during lockdown or in quarantine), waiting for urgent parcels from the handful of delivery services in our small country, then phishers will quickly be able to find a victim in such a vulnerable situation.

One unguarded moment and an attacker using a valid method of approach is enough.

Work from home

The transition to teleworking has also caused an increase in email traffic, which has added a whole series of new tools and platforms with which employees needed to quickly familiarise themselves in order to be able to fulfil their tasks. Unfortunately, anti-spear phishing training often wasn't a focus when training employees on those new tools.

Working with online storage, payments, new accounts for meeting services, etc. are new additions to the series of scenarios that phishers can use to their advantage. And, thanks to automation, (there are ready-made phishing packages on sale in the darker corners of the internet), with minimum effort, a phisher can put out a maximum of “phishing lines” for such scenarios, each of which contains variations on the millions of forms of interaction that we perform through our mailbox every day.

Awareness is key

In order to prevent spear phishing attacks, we must focus on raising awareness, limiting damage and being able to verify communication. I hope that, in future, efforts will be made not only to conduct the necessary awareness-raising campaigns and strong IT management, but also to encourage interaction between sender and recipient: to make clear arrangements on how you as a company will communicate internally and externally and what user-friendly cryptographic tools you will use in this regard. Attempts have already been made in this respect in the past, which – although technically solid – were all too often merely academic exercises without any follow-up because end-users were not always technically literate.

Where phishing is concerned, one may not always raise a pedantic finger and shift the responsibility onto the shoulders of the “stupid end user” who opens the phishing message. This is a battle that we must fight on all fronts and it is vital that we understand the phishers’ techniques (and success ratio). I am convinced that companies such as Phished have an important role to play in this regard.