João Machado
Cybersecurity Analyst

Spear-Phishing: Hacking the mind and accessing the web

28 October 2024

Security

Phishing is one of the most common forms of cybercrime. This type of attack happens when an attacker tries to steal important information, such as usernames, passwords or any other type of private information that is then used or sold.  

This is usually done by sending large amounts of emails, text messages or even social networks, where the user needs some information and urgent action. When the link is clicked, the victim is sent to a fake malicious website.  

Spear-phishing is a subset of phishing attacks in which, instead of sending large quantities of emails or text messages, the hacker identifies a specific target and sends well-thought-out emails to get that person to act. These attacks require more effort due to the need to obtain as much information about the victim as possible.  

The information in these emails can even contain the name of the victim and the names of the victim's close relatives, professional details or even some family emergency. Whatever it takes to create a sense of urgency that leads the user to click on the link.  

Current figures 

There are some alarming statistics that highlight just how widespread and damaging these attacks have become:  

  • In 2023, almost 94% of organizations worldwide faced spear-phishing attacks. This figure highlights the frequency with which attackers use customized tactics to breach defenses.  
  • According to IBM's Cost of a Data Breach Report 2023, spear-phishing attacks can cost companies an average of 4.91 million dollars, due to the length of time they often go undetected.  
  • Spear-phishing emails have a higher success rate, with open rates of 50%, compared to just 12-14% for more general phishing attempts.  
  • A significant proportion of spear-phishing campaigns, 43%, result in stolen credentials, according to the 2022 Verizon Data Breach Investigations Report. These credentials are often used to gain deeper access to company networks, allowing attackers to expand their operations even further.  
  • The FBI's 2022 Internet Crime Report highlighted that the compromise of commercial emails, usually initiated by spear-phishing, resulted in more than 2.7 billion dollars in losses in 2022 alone.  
  • Spear-phishing emails comprise less than 0.1% of all emails sent, but cause 66% of all data breaches.  
  • One of the reasons spear-phishing is so effective is its ability to exploit human error. A staggering 85% of successful attacks can be attributed to manipulating the victim. 

How it works  

As with almost all scams, spear-phishing usually aims to make large sums of money. They can do this by tricking the victim into making a payment or by manipulating them into accessing a fake website and providing their credentials.

However, campaigns can sometimes have other harmful objectives: 

  • Spreading malware - an intruder can impersonate someone from a company to get the victim to click on an attachment in an email. If the victim clicks, the file automatically installs the malware.  
  • Credential theft - instead of obtaining your bank account credentials to steal money, a cybercriminal can obtain access credentials to your company to stage a larger cyberattack.  
  • Information theft - an attacker can impersonate a colleague and ask for some sensitive reports. 

Once the objectives have been defined, the attackers choose a suitable target for that objective: It could be a rich man if the objective is just money, but it could also be a specific IT employee to gain access to confidential documents. Next, the cybercriminal thoroughly researches the target and drafts the email message. 

Real world examples  

1- Fraud at the Institute for the Financial Management of Education (iGeFe) in Portugal 

In June 2024, a fraud took place at iGeFe in which 2.5 million euros were transferred to the wrong bank account. This happened in 3 transfers to a different IBAN. The error was discovered when the company that provided IT services to iGeFe complained about not being paid.  

This was a typical case of CEO fraud. The attacker posed as an employee of the company responsible for the contract and sent a well-crafted email with correct references, invoices and payment deadlines, but asked for payment to be made to another IBAN. This was accepted without proper validation by the victim's services, so the attack was successful. 

2- Fraud in Viseu City Council's energy bill  

The city council of Viseu, in Portugal, was the victim of a sophisticated cyber fraud scheme, which resulted in a loss of almost 600,000 euros.   

The fraud took place when the attackers intercepted a real Galp Energia invoice and made the necessary changes to "register" a new Galp IBAN in the municipality's database. This IBAN was from the same bank as the previous one, so as not to arouse suspicion.  

The fraud was detected when Galp noticed that the payment had not been made successfully. The municipality sent a copy of the payment request, along with proof of payment and the corresponding IBAN, only to discover that the IBAN was incorrect. Someone had intercepted a GALP document and sent it to the municipality to change the IBAN. 

3- Spear-Phishing posing as Portuguese ambassadors   

In 2022, an international incident took place in which emails were sent, supposedly from Portugal, to several ambassadors from NATO countries.  

These emails had the Portuguese coat of arms and links to a malicious HTML file. To appear more reliable, they were written in English and used common storage sites such as Dropbox or GoogleDrive to spread the malware. When the victim clicked on the link, the malicious file was activated, creating a backdoor in the computer. 

Prevention  

Phishing attacks are notoriously difficult to defend against because traditional cybersecurity tools often fail to identify them. Spear-phishing is even more difficult to block due to its highly targeted and personalized approach, which makes fraudulent messages appear more credible to individuals (and also to some tools). In both cases, training campaigns can be created to better identify these cases and report them, rather than replying to or complying with the message.

Reasons why you might suspect spear-phishing:

  • The message/email creates a sense of urgency or panic.  
  • Request for sensitive information.  
  • Poorly written or awkwardly formatted hyperlinks that, when you hover the mouse over them, don't take you to the correct destination.  
  • Attachments not requested  
  • Pretexts, such as saying that the login credentials are about to expire.  

Security training and awareness is key to avoiding any kind of phishing attack, especially when many users work from home. But even the best-trained and most aware employees will occasionally click on a malicious link , either because they were in a hurry or because the link was very convincing. 

To reduce the likelihood of a successful spear-phishing attack, it is necessary to:  

  • Have training sessions that cover techniques for recognizing suspicious emails and tips for avoiding oversharing on social networks. These strategies make the process of obtaining information about you more difficult. 
  • Draw up and comply with policies and processes to combat fraud, such as not opening messages with unsolicited attachments.  
  • Have identity and access management in place, such as role-based access control and multifactor authentication, which can prevent cybercriminals from gaining access to user accounts.  
  • Analyze the properties of incoming messages, including the security headers and the attachment, to detect anything malicious.  
  • Carry out phishing and spear-phishing simulations from time to time. 

Conclusion

In short, spear-phishing remains a threat in the cybersecurity landscape, as evidenced by its widespread impact and financial consequences. Its personalized nature and ability to exploit human error make it particularly dangerous, and many successful attacks can be promoted by manipulating the victim.  

To effectively combat these attacks, organizations and individuals must adopt robust prevention strategies: comprehensive training programs, strict security policies and the implementation of advanced technologies.  

With the threat landscape continuing to evolve, continuous training and adaptation of security practices are crucial to maintaining strong defenses against these cyber threats. 

Other related articles

My first experience at BlackHat

Understanding how important it is to be up-to-date on the latest techniques and methods used by attack teams and threat actors, I was able to attend the BlackHat USA 2023 conference for the first time.

Read article

Malware attack by e-mail. What it is and how to protect yourself.

It is crucial to know the threats that can attack your organization and how to mitigate them. One such threat is malware, which often infiltrates organizations through apparently harmless emails.

Read article

Testimonial Jornadas FCCN: Rui Canizes - IPDJ

Rui Canizes, Head of Technological Infrastructures Division at the Portuguese Institute for Sports and Youth (IPDJ), tells us what the Jornadas have been for him.

Read article

Testimonial Jornadas FCCN: António Luís Lopes - ISCTE-IUL

António Luís Lopes, responsible for the information systems development team at ISCTE-Instituto Universitário de Lisboa, tells us what the conference usually means to him and what are the expectations for the 2023 edition.

Read article

"Security is like a soccer referee: the more unnoticed, the better"

For 24 years, FCCN, FCT's digital services, has been responding to cybersecurity incidents at Portuguese Higher Education and Research Institutions. 

Read the news

Cybersecure educational institutions: 5 tips for employees

Education is one of the sectors most targeted by cybercriminals. Cybersecurity must be everyone's responsibility, especially your employees.

Read the news

5 cybersecurity tips for your vacation

Vacations are a change in everyday life. This doesn't apply to cybersecurity threats, which never cease. Find out how to avoid them.

Read the news

Podcast "Tell me your password" has already released 12 episodes

This initiative was created in 2023 by the RCTS CERT team, FCT's digital service, developed through FCCN.

Read the news

Safer Internet Day (SID) 2024: Viseu hosts this year's initiative dedicated to Artificial Intelligence 

February 6th marks the 21st edition of Safer Internet Day (SID). The Safer Internet Center Consortium is organizing this national commemorative event, which will be held this year in Viseu. The SID Summit 2024 program is dedicated to Artificial Intelligence. 

More info

Registration for the Jornadas FCCN 2023 is now open

The 14th edition of the Jornadas FCCN will take place at the Naval School - Alfeite Base in Almada, between June 27 and 29, 2023. Registration is now open and can be done via the event's new dedicated website.

More info

CSIRT-in-a-box 2022

RCTS CERT organizes, on November 3 and 4, a new edition of the CSIRT-in-a-Box Workshop.

More info

"Unity FCCN exists to serve the community. The Jornadas da Unidade FCCN are extremely important"

"One of the goals we have, in organizing the Days, is to take them around the country. We like to go to the institutions we work for. We get to know them better and they get to know us better."

More info