Spear phishing campaigns unlike traditional phishing which is sent to a general audience in hope that one will respond, ‘Laser’ phishing is targeted and personal. This is increasingly becoming an infamous social engineering hack, even technoid executives and other senior managers that have been tricked into handing over money and files.

Here is an overview of how the phishing takes place and how to protect the organization and users. how the phishing takes place

Targeting the victims

The first thing a hacker needs is a victim and they are generally the individuals who contain the data the attacker wants. To do this they usually:

  • Follow the company on their social media accounts to understand their role and the different departments.
  • Research corporate websites to gain an insight into processes and locations.
  • Use different scripts to harvest emails

Pick out the credible source

In these campaigns the attacker needs to find out a credible source as whom they can act as. This should be someone who is an internal part to the company. In many traditional phishing campaigns the attacker would impersonate someone the victim doesn’t know. However in laser phishing the impersonation is someone the victim knows.

To execute the campaign the hacker would:

  • Identify the individual who has the authority to sign large sums of money.
  • Select the highest position as someone who would likely ask for money and impersonate them.
  • Research about the upcoming trips based on social media posts

Impersonating the CEO is commonly known as whale phishing. Psychologically humans respond to messages if they say its urgent.

The victim gets trapped

IThe final step is for the victim to open the malicious link or accept the request. If the victim visits the infected page or respond to the call then:

  • Payment could be made to the phisher
  • Sensitive information can be shared to the phisher
  • The machine would be infected with the malicious content.

To avoid getting duped there are ways that you can protect yourself:

how to protect the organization

Secure your identity:

Spear phishing campaign allows the hacker to gain more privileged access. If they succeed in tricking the individual. The damage can be reduced with modern authentication techniques, like Multi Factor Authentication (MFA).

Encourage users to talk about the potential threat of phishing emails:

It is important that users talk with their colleagues about spear phishing and how it works. Since the campaigns target individuals, they usually target people from the same department.

Create awareness on how to detect phishing emails:

Spear phishing is mainly done by impersonating a credible source. However there are a few instances that can give them away like:

  • The email address is slightly altered than what you would expect.
  • The language used would usually not be accepted, that is it would invoke sympathy or fear.
  • A tone of urgency would be used with a request to break the company’s policy.

Use technology designed to block phishing emails:

Avail technology that help you block off phishing emails. Office 365, offers protection against a variety of phishing attacks.