Spear Phishing Attacks and Countermeasures

Peter Lindley
September 3, 2015 by
Peter Lindley


Learn the best practices for developing a security awareness training program that is engaging. Engaging awareness programs have been shown to change more users' behavior and are seen as an asset for your organization instead of annoyance. 

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.



At some point over recent years the vast majority of us will have either received - or heard of a friend or relative who has received - a phishing email. This is a malicious fake email claiming to come from an individual or a company - often a bank or credit card company. Phishing emails from individuals usually promise significant financial reward if we would just be so kind as to provide our bank details to help them get round a tricky situation with their own accounts which apparently makes it difficult for them to access even greater sums of money directly. Phishing emails claiming to be from a bank or credit card company, etc. will typically refer to some sort of a problem with your account requiring you to verify your details by providing your bank account or credit card number or other sensitive details.

Such emails are usually generated and sent out en masse using a mailing list often consisting of many thousands of email addresses 'harvested' over a period of time – spamming. The content of the spam phishing email therefore is usually very general and non-specific – often making it fairly easy to detect as fake. The fact that more and more of us have become aware – and wary - of these phishing emails and the widespread deployment of spam-filtering solutions has also reduced their effectiveness.

This has resulted in the development of an alternative approach to phishing attacks – Spear Phishing.

Spear Phishing

A Spear Phishing attack is centered around an email whose content is much more carefully constructed to target a small number of personnel – or one individual. The victim or victims are selected because their role has been identified – using methods such as 'social engineering' and accessing social media sites – as key to the success of the planned attack. For example, if the purpose of the attack is financial fraud, a senior manager with the highest authoritsation level for approval of payments might be targeted or – if the purpose was to gain access to the most sensitive enterprise data - someone with a role which requires the most significant privileged system access rights.

Attacks are therefore carefully planned with often a significant amount of time spent researching who would be the best target using social media sites such as Facebook and LinkedIn to obtain details of the individual's activities, history, interests, hobbies, etc. Some of the information gleaned from this research can then be included when drafting the email to ensure that it is as convincing as possible to the recipient.

For example, the spear phishing email can then be personalized beginning with a "Dear Peter…" for example, rather than the general phishing email's "Dear Sir/Madam…" and may claim that the sender has been speaking to a friend you have in common having gleaned this from your social media information. It may refer to details of a previous purchase you have made or a company you have corresponded with in the past.

Such spear phishing emails are less likely to be identified by spam filtering because smaller numbers are involved and the content and subject line may vary.

The spear phishing email will generally contain a link or an attachment which the recipient is asked to click on. These will appear harmless or even familiar but clicking on the link will actually result in connection to a malicious site - or start to run malware embedded in the attachment.

The intended result is that – unknown to the targeted individual user - malicious software is installed on their computer which, for example, can record all keystrokes over a period of time. This is then available to the attacker potentially providing details of user credentials or large amounts of sensitive financial information or other enterprise data.

Phishing attacks continue to develop. For example some recent attacks have been referred to as "Whale Phishing" or "Whaling" attacks – so-called because they target the wealthiest individuals or most senior executives in a company (the biggest "phish").

So what can you do to mitigate against such attacks.

Countermeasures to Mitigate against Spear Phishing Attacks

As usual the most effective measure to safeguard your business against being the victim of a successful Spear Phishing attack is staff security awareness.

Guidelines - or preferably a policy endorsed by the chief executive – should be issued to all staff instructing them that they MUST NOT click on website links or attachments in unsolicited emails or emails from untrusted sources. If in doubt, they should check with the IT security manager. Issue regular reminders to this effect and highlight this requirement in any security awareness training.

Use the awareness training to educate your users about phishing attacks and social engineering - for example:

  • if an unsolicited "offer" seems too good to be true, it will generally not be true;
  • banks and other financial institutions, etc. will NOT ask for your account details by email; your IT department will NOT ask you to confirm your password over the phone;
  • be wary of any unsolicited email or phone call – are you sure the person is who they claim to be? If not, ring them back – but not using the number provided in an email; look up the number in the directory or go to the company's web site directly by keying in the URL manually (NOT via a link in the email);
  • positioning the mouse over the link – without clicking on it – allows you to examine the URL for anything suspicious e.g. country of origin as indicated by the domain extension (many cyber attacks have been reported as originating from China, Russia and now also Brazil, for example;
  • never use your official business account details – particularly your password – when registering with non-work related on-line services or companies; always use different, complex, hard to guess passwords for each account so that if your Facebook password were to be compromised, for example, the same password could not be used for unauthorized access to your business account or on-line banking account;
  • do not post any details on social media sites that could be of help to a cyber attacker planning a spear phishing attack or another criminal e.g. details of when you plan to be on holiday will alert potential criminals as to when your home is likely to be unoccupied; birthdays, pet names, etc. may provide clues for a cyber attacker as to the password you use.

In addition to the benefits of staff security awareness in relation to Spear Phishing, other technical and procedural measures that help mitigate against the threat would include the following:

Ensure that your systems and devices are well managed with a patching policy and procedures in place to keep software, operating systems, browsers, etc. up-to-date with any "fixes" issued by vendors to close identified vulnerabilities in their products applied as soon as possible. Such vulnerabilities could potentially be exploited as part of a Spear Phishing or other cyber attack.

Use anti-malware solutions and keep them up-to-date and consider other technical countermeasures that might be appropriate for your systems: e.g. deployment of an inbound email sandbox to check out links in emails; phishing filtering if this is available for your browser; or real-time web traffic analysis.

Another measure you might consider: penetration testing to identify any vulnerabilities particular to your system configuration and environment can be arranged with specialist security consultants who can then recommend suitable remedial action to address these.


So in summary:

Spear Phishing attacks have been developed to circumvent spam filtering measures and - using social engineering and research of social media profiles, etc. – to target key individuals who can best assist (albeit unwittingly) the cyber criminal in carrying out an attack.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Having effective technical and procedural security management arrangements in place covering patching, etc. will go some way to demonstrating mitigation against the threat but – as is usually the case – a workforce that has been made aware of the Spear Phishing threat and how they can avoid becoming a target will provide a greater level of assurance.

Peter Lindley
Peter Lindley

Pete is an IT Security Manger for a large financial services organization in the UK with many years experience implementing and managing Information Security Management Systems and acting as the single point of contact for advice and guidance in relation to all IT security issues.