Spear Phishing graphic

Spear Phishing is a Gateway to Disaster But Awareness Reduces Risk

A flood of phishing has been swamping businesses, with a record 1 million phishing attacks logged by the Anti-Phishing Working Group in Q1 2022. That wave of phishing attacks isn’t all just cybercriminals casting wide nets to catch as many victims as they can. While most cyberattacks are opportunistic, some are not. Sometimes cybercriminals take care to craft especially believable, personalized lures that target specific victims, from individual executives to employees of a particular organization – and narrowly focused spear phishing attacks can be a devastating weapon to use against a business.

Phishing is a longtime cybercriminal favorite for launching everything from ransomware attacks to credential compromise attempts. Spear-phishing emails are a tool utilized by an estimated 65% of cybercrime groups when they carry out targeted cyberattacks. While it is significantly more complex and requires more skill than run-of-the-mill phishing, spear phishing remains a frequently used and devastating threat to companies. This attack type came in eighth place in the U.S. The Internal Revenue Service’s “Dirty Dozen” scam threats list as a major risk to businesses.

10 Spear Phishing Red Flags To Look For

Learning to spot a spear phishing attempt is critical. Be alert for the presence of these red flags that can indicate that an email message is actually a spear phishing attempt.

  1. A Weird Subject Line – Phishing messages often have odd subject lines like “Warning”, “Your funds has…” or “Message is for a trusted”. If the subject or pre-header of the email contains spelling mistakes, usage errors, unexpected emojis or other things that just don’t quite seem normal, it’s probably phishing.
  2. An Unofficial Domain – Check the sender’s domain by looking at the email address of the sender. A message from a major corporation is going to come from that company’s usual, official domain. For example, If the message says it is from [email protected] instead of [email protected], you should be wary.
  3. Sender Misrepresentation – Bad actors often impersonate seemingly trustworthy or official sources like an employee of a trusted company, a colleague, a senior executive or a government entity in order to give the recipient a false sense of security about the legitimacy of the message. Stay alert for signs that a sender may not be who they seem.
  4. A Clunky Greeting – If the greeting of an unexpected message seems different from a typical business format, that’s a big red flag. Is it generic when it is usually personalized, or vice versa? Anomalies in the greeting are red flags that a message may not be legitimate.
  5. Bad Word Choices, Spelling & Grammar – This is a hallmark test for a phishing message and the easiest way to uncover an attack. We all make occasional spelling or grammatical errors, but a message riddled with them is probably phishing. If you only remember one red flag from this list, make it this one.
  6. An Odd Presentation or Style – Small variations in style can be indicators of big trouble. Beware of unusual fonts, colors that are just a little off, logos that are odd or formats that aren’t quite right. This is another key indicator of spoofing and an easy way to spot phishing.
  7. Suspicious Links – Hovering a mouse or finger over a link will usually enable you to see the path. If the link doesn’t look like it is going to a legitimate page, don’t click on it. If you do accidentally click on a suspicious link, close the page and do not provide any information.
  8. Unexpected Attachments – Bad actors frequently use PDFs or files that look like normal Microsoft files to do their dirty work. Almost 50% of malicious email attachments that were sent out in 2020 were Microsoft Office files. The most popular formats are the ones that employees regularly exchange every day — Word, PowerPoint and Excel — accounted for 38% of phishing attacks. Archived files, such as .zip and .jar, account for about 37% of malicious transmissions. Never download or interact with an unexpected attachment.
  9. It Seems Too Good to Be True – If you receive an unexpected message that promises you some benefit from clicking a link, downloading something or filling out a form, be suspicious. Everybody wants to win a prize or get something for free and bad actors know that, so they often use this technique to trick victims into turning over personal information, financial data or their credentials.
  10. A Gut Feeling – If anything about an unexpected message seems a little bit off, trust your instincts. Don’t interact with the message any further and report it to an administrator immediately. That gut feeling could be the thing that stops a business from falling victim to a phishing-related cyberattack.

Article courtesy Kaseya