Since spear phishing can be so difficult to spot, it’s important to be well-versed in the various types of this attack method and continuously be on the lookout for any suspicious forms of communication. Below are three common spear-phishing techniques frequently employed by hackers:
Business Email Compromise
Also known as “CEO Fraud,” Business Email Compromise (BEC) attacks are when hackers access or spoof an email from a senior executive such as a CEO or CFO and leverage it to request money, documents or login information from another employee. Those targeted can include other executives, senior staff members, company attorneys, or trusted vendors and partners. Successful BEC attacks result in access to the victim’s business systems, unrestricted access to the victim’s employee credentials, and potentially massive financial losses for the company.
Whaling attacks are another form of spear-phishing attack that aims for high-profile targets specifically, such as C-level executives, politicians, or celebrities. Like spear phishing, whaling attacks are customized for their intended target and use the same social engineering, email-spoofing, and content-spoofing methods to access and steal sensitive information.
Clone phishing involves hackers creating a nearly identical replica of a legitimate message to trick the victim into thinking it’s real. Sent from a seemingly trusted address – often using a typo squatted domain – the message will appear valid and include whatever content the victim expects to receive – however, the attachment or link included in the message will be swapped out for a malicious one. These attacks often involve cloned websites with a spoofed domain that mimics a legitimate one to trick the victim into providing sensitive information.
With all of these techniques, we are seeing an increasing trend where personal email addresses are being targeted. These are rarely protected with enterprise-grade email security but are still accessed from corporate networks and devices.