Spear phishing campaigns unlike traditional phishing which is sent to a general audience in hope that one will respond, ‘Laser’ phishing is targeted and personal. This is increasingly becoming an infamous social engineering hack, even technoid executives and other senior managers that have been tricked into handing over money and files.
Here is an overview of how the phishing takes place and how to protect the organization and users.
The first thing a hacker needs is a victim and they are generally the individuals who contain the data the attacker wants. To do this they usually:
In these campaigns the attacker needs to find out a credible source as whom they can act as. This should be someone who is an internal part to the company. In many traditional phishing campaigns the attacker would impersonate someone the victim doesn’t know. However in laser phishing the impersonation is someone the victim knows.
To execute the campaign the hacker would:
Impersonating the CEO is commonly known as whale phishing. Psychologically humans respond to messages if they say its urgent.
IThe final step is for the victim to open the malicious link or accept the request. If the victim visits the infected page or respond to the call then:
Spear phishing campaign allows the hacker to gain more privileged access. If they succeed in tricking the individual. The damage can be reduced with modern authentication techniques, like Multi Factor Authentication (MFA).
It is important that users talk with their colleagues about spear phishing and how it works. Since the campaigns target individuals, they usually target people from the same department.
Spear phishing is mainly done by impersonating a credible source. However there are a few instances that can give them away like:
Avail technology that help you block off phishing emails. Office 365, offers protection against a variety of phishing attacks.