Spear-Phishing: Hacking the Mind and Accessing the Network

Phishing is one of the most common forms of cybercrime. This type of attack occurs when an attacker attempts to steal sensitive information, such as usernames, passwords or any other type of private information that is then used or sold by him.  

This is usually done by sending large quantities of emails, text messages or even social networks, where some information and urgent action is required from the user. When the link is clicked, the victim is sent to a fake malicious website.  

Spear-phishing is a subset of phishing attacks, where, instead of sending large amounts of emails or text messages, the hacker identifies a specific target and sends thoughtful emails to prompt that person to take action. These attacks require more effort due to the need to obtain as much information as possible about the victim.  

The information in these emails may even contain the victim's name and the names of close family members, professional details, or even a family emergency. Whatever is necessary to create a sense of urgency that leads the user to click on the link.  

Current numbers 

There are some alarming statistics that highlight how widespread and damaging these attacks have become:  

• In 2023, nearly 94% of organizations worldwide faced attacks from spear-phishingThis data highlights how often attackers use tailored tactics to breach defenses.  
• According to the Report IBM's Cost of a Data Breach By 2023, spear-phishing attacks could cost companies an average of $4.91 million, due to the long time they often go undetected.  
• Spear-phishing emails have a higher success rate, with open rates of 50%, compared to just 12-14% for more general phishing attempts.  
• A significant portion of spear-phishing campaigns, 43%, result in stolen credentials, according to the 2022 Verizon Data Breach Investigations Report. These credentials are often used to gain deeper access to company networks, allowing attackers to further expand their reach.  
• The Report Internet Crime of 2022 from the FBI highlighted that the compromise of emails commercial attacks, often initiated by spear-phishing, resulted in more than $2.7 billion in losses in 2022 alone.  
• You emails of spear-phishing comprise less than 0.1% of all emails sent, but cause 66% of all data breaches.  
• One of the reasons why the spear-phishing What's so effective is its ability to exploit human error. A staggering 85% of successful attacks can be attributed to victim manipulation. 

How it works  

As with almost all scams, the spear-phishing typically aims to make large sums of money. They can do this by tricking the victim into making a payment or manipulating them into accessing a fake website and providing their credentials.

However, sometimes campaigns can have other harmful goals: 

• To spread malware – An attacker might pose as someone from a company to trick a victim into clicking on an email attachment. If the victim clicks, the file automatically installs the malware.  
• Credential theft – Instead of obtaining your bank account credentials to steal money, a cybercriminal could obtain your company's access credentials to stage a larger cyberattack.  
• Information theft – an attacker may pose as a colleague and ask you for some sensitive reports. 

After defining their objectives, the attackers choose a suitable target: it could be a wealthy individual if the goal is simply money, but it could also be a specific IT employee seeking access to confidential documents. The cybercriminal then thoroughly researches the target and crafts the email message. 

Real-world examples  

1- Fraud at the Institute of Financial Management of Education (iGeFe) in Portugal 

In June 2024, a fraud occurred at iGeFe in which 2.5 million euros were transferred to the wrong bank account. This occurred in three transfers to another entity's IBAN. The error was discovered when the company providing IT services to iGeFe complained about not having been paid.  

This was a typical case of CEO fraud. The attacker posed as the company employee responsible for the contract and sent a well-crafted email with accurate references, invoices, and payment terms, but requested that the payment be made to a different IBAN. This IBAN was accepted without proper validation by the victim's services, resulting in the successful attack. 

2- Fraud in the energy bill of the Viseu City Council  

Viseu City Council, in Portugal, was the victim of a sophisticated cyber fraud scheme, which resulted in losses of almost 600,000 euros.   

The fraud occurred when attackers intercepted a real Galp Energia invoice and made the necessary changes to "register" a new Galp IBAN in the municipality's database. This IBAN was from the same bank as the previous one, to avoid arousing suspicion.  

The fraud was detected when Galp noticed that the payment had not been successfully processed. The municipality sent a copy of the payment request, along with proof of payment and the corresponding IBAN, only to discover that the IBAN was incorrect. Someone had intercepted a GALP document and sent it to the municipality to change the IBAN. 

3- Spear-Phishing impersonating Portuguese ambassadors   

In 2022, an international incident occurred in which they were sent emails, supposedly from Portugal, to several ambassadors from NATO countries.  

These emails had the Portuguese coat of arms and links for a malicious HTML file. To appear more believable, they were written in English and used common storage sites like Dropbox or GoogleDrive to spread the malware. When the victim clicked on the link, the malicious file was activated and created a backdoor on the computer. 

Prevention  

The attacks of phishing are notoriously difficult to defend against because traditional cybersecurity tools often fail to identify them. Spear-phishing is even more difficult to block due to its highly targeted and personalized approach, which makes fraudulent messages appear more credible to individuals (and also to some tools). In both cases, training campaigns can be created to better identify and report these cases, rather than responding to or complying with the message.

Reasons that may make you suspicious of spear-phishing:  

• The message/e-mail creates a feeling of urgency or panic.  
• Request for sensitive information.  
• Poorly written or strangely formatted hyperlinks that, when hovered over, do not redirect to the correct destination.  
• Unsolicited attachments  
• Excuses, such as saying that login credentials are about to expire.  

Security training and awareness is essential to prevent any type of cyber attack. phishing, especially when many users work from home. But even the most well-trained and conscientious employees will occasionally click on a link malicious, either because they were in a hurry or because the link was too convincing. 

To reduce the likelihood of an attack spear-phishing successful, it is necessary:  

• Have training sessions that cover recognition techniques emails suspects and tips to avoid oversharing on social media. These strategies make it harder to gather information about you. 
• Draft and enforce policies and processes to combat fraud, such as not opening messages with unsolicited attachments.  
• Having identity and access management in place, such as role-based access control and multi-factor authentication, can prevent cybercriminals from gaining access to user accounts.  
• Analyze the properties of incoming messages, including the security headers and attachment, to detect anything malicious.  
• Carry out simulations sporadically phishing and spear-phishing. 

Conclusion

In short, the spear-phishing continues to be a threat in the cybersecurity landscape, as evidenced by its widespread impact and financial consequences. Its personalized nature and ability to exploit human error make it particularly dangerous, with many successful attacks being facilitated by victim manipulation.  

To effectively combat these attacks, organizations and individuals must adopt robust prevention strategies: comprehensive training programs, strict security policies and the implementation of advanced technologies.  

As the threat landscape continues to evolve, ongoing training and adapting security practices are crucial to maintaining strong defenses against these cyberthreats.