Anatomy of a spear phishing attack – with example scam

With cyber crime quickly becoming a top priority for organisations, IT admins have felt the pressure to invest in network defences and ensure their systems aren’t breached.

But those measures aren’t much help when criminals use phishing scams to bypass organisations’ defences and hit them where they’re most vulnerable: their employees.

Fraudsters have countless tricks up their sleeve when targeting people for attacks, but perhaps the most dangerous is spear phishing. Let’s take a look at how it works, along with an example to help you spot the clues of an attack.

What is spear phishing?

Spear phishing is a form of email attack in which fraudsters tailor their message to a specific person.

They can gather the information they need to seem plausible by researching the target online – perhaps using Facebook, LinkedIn or the website of the target’s employer – and imitating a familiar email address.

Spear phishing is harder to detect than regular phishing scams, because although messages contain the same clues as any phishing attack, the fact that they are addressed specifically to the target assuages suspicions that they are bogus.

However, other than creating a false sense of security, the attack works in the same way as any other type of phishing scam. The message will either contain an attachment infected with malware or direct the recipient to a malicious website, which might inject malware into the browser or request user credentials through spoofing.


See also:


Proofpoint’s 2019 State of the Phish Report found that 83% of respondents were hit by at least one spear phishing attack in last year. This shows just how hard it is to identify and properly respond to targeted email threats.

An example of a spear phishing email

Here’s an example of a real spear phishing email. You can see the whole message below, followed by a breakdown of the text showing how you can tell that the message is bogus.

Subject: Domain Notification for [website] : This is your Final Notice of Domain

Attention: Important Notice , DOMAIN SERVICE NOTICE
Domain Name: [website]

ATT: [name redacted]
[website redacted]
Response Requested By
5 – Nov. – 2018

PART I: REVIEW NOTICE

Attn: [name]

As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it’s time to send in your registration.

Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.

Privatization allows the consumer a choice when registering. Search engine registration includes domain name search engine submission. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.

This Notice for: [website] will expire at 11:59PM EST, 5 – Nov. – 2018 Act now!

Select Package:
[website link redacted]

Payment by Credit/Debit Card

Select the term using the link above by 5 – Nov. – 2018
[website]

Spotting the signs of spear phishing

Did you see the clues that the email was fake? And what about the tricks the scammer used to make the message look genuine? Let’s take a closer look at the message, beginning with the subject line:

“This is your Final Notice”

Right from the start, the criticality of this email is established in my mind. I’m also concerned as it looks like I’ve missed a previous notice.

“Attention: Important Notice”

The importance of this email has been set.

“Domain Name: [website]”

It’s the correct domain, indicating this email is indeed relevant to me.

“ATT: [name]”

Correct name also; must be legit and specific to me personally.

“As a courtesy”

They’re doing me the service. Sounds decent and generous.

“This letter is to inform you that it’s time to send in your registration.”

Sounding official now and the time pressure is being ramped up. It’s also trying to soften me up to part with personal information.

“Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web.”

If I don’t comply quickly (time pressure again), there’s going to be an adverse impact on me and I’ll lose customers. This could potentially hit me in the pocket!

“Search engine registration includes domain name search engine submission.”

They’re going to perform some sort of important-sounding service for me.

“Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web.”

Really mixed messages here. An instruction not to “discard” this important “notice” but no pressure, as this isn’t a request for money (“not an invoice”) but just a generous and selfless “courtesy” and “reminder” that will benefit me.

“This Notice for: [website] will expire at 11:59PM EST, 5 – Nov. – 2018 Act now!”

Time pressure cranked up to maximum. No need to think; just act now before it’s too late.

All the above are typical examples of emotional manipulation. This is classic spear phishing.

I didn’t click the link and hand over my payment card details, because it raised all manner of red flags. Instead, I googled the link, which confirmed my suspicions.

Sadly, some would have fallen for it simply through a lack of training and awareness.

Teach your staff to spot phishing emails

You can help educate employees on the threat of phishing and what they can do to mitigate the risk by enrolling them on our Phishing Staff Awareness E-Learning Course.

This 45-minute course uses examples like the one above to explain how phishing emails work, the clues to look for and the steps to take to avoid falling victim.

You might also benefit from a comprehensive review of your approach to cyber security. Our Security Awareness Programme does just that, helping you generate tangible and lasting improvements to your organisation’s security awareness.

It combines a learning needs assessment to identify the areas that your organisation should focus on, with a series of tools and services to address problems as they arise, including hands-on support from a specialist consultant, pocket guides and e-learning courses.

Find out more about our Security Awareness Programme >>