0 8

Spear phishing, a specific method of email-based crime, has been increasing in notoriety among cybercriminals today. By studying their victims and frame thoughtfully-designed communications, they oftentimes portraying themselves as a trusted associate, entity or business. Spear-phishing attacks usually aim to seize sensitive data,  like social media login information or financial information, or other credentials those are to be used for performing fraud, identity theft and other violations later.

Sketched to bypass traditional email security, such as gateways and spam filters, these attacks are frequently transmitted from high-reputation domains or the hijacked email accounts. Spear phishing attacks do not regularly carry malicious URLs or attachments, and most popular email-security routines rely on blacklists and reputation analysis, these attacks bypass them easily.

Spear phishing emails usually have spoofing methods and hold “zero-day” URLs hosted on domains that haven’t been used in any attacks before or that have been inserted into captured authentic websites, hence they are improbable to be hindered by email security technologies.

Moreover, cybercriminals use the power of social-engineering tactics like urgency, shortness and stress, to boost the possibility of victory.

Statistics on Spear Phishing Attacks

Barracuda created a report assessing more than 360,000 spearphishing emails in a three-month period, identifying and analyzing three major types of attacks:1 According to  this research;

  • Brand impersonation forms 83 % of spear-phishing attacks
  • Sophisticated spear-phishing attacks are used to steal account credentials.
  • Nearly 1 in 5 attacks involve impersonation of a financial institution.
  • Sextortion scams – a form of blackmail – are increasing in frequency and becoming more complicated and bypassing email gateways.
  • Sextortion attacks constitute 1 in 10 spear phishing emails
  • The majority of subject lines on sextortion emails include some kind of security alert.
  • Criminals usually have the victim’s email address or password in the subject line.
  • Business email compromise  (BEC) attacks form only 6% of spear-phishing attacks but have created more than $12.5 billion in losses since 2013.
  • Just 10 popular email domains are used to launch 62% of attacks.
  • Subject lines on the majority of attack emails attempt to set rapport or a sense of urgency; many attacks have implications within the topic that the subject has been previously discussed.
  • Cybercriminals adapt their email routines to more efficiently target users in various industries.
  • Finance department employees are profoundly attacked due to their access to sensitive information like banking details.

Brand Impersonation


Domains User in BEC Attacks

Top Subject Lines in BEC Attacks

Best Practices to protect against spear phishing

Cybercriminals know the best strategies to reach the sensitive data of your institutions.

Often, simple methods are used to attack complex methods. They attack an organization by simply trapping its employees or community members by manipulating them.

There are several ways to describe various social engineering attacks and their indicators:

Never share your passwords.

Your passwords are the key to your identity, your data, and even your colleagues. Your organization’s help desk or IT department will never demand your passwords.

Watch out for abandoned flash memory

Cybercriminals can turn on flash drivers to attract their victims, so someone who finds it can install malware on their computers without knowing it. Flash should not be attached to a computer, even if it is to find the real owner of the memory. Because there is a possibility that this can be a trap.

Be aware of the signs

If you have spelling or grammar mistake, or an urgent request or an incredibly good offer in your e-mail, you should immediately delete the message content.

Confirm the sender

Take the necessary checks to ensure that the sender’s email address is legitimate.

Do not talk to strangers!

If you receive a call from someone you do not know and you are asked to provide information, close your phone and report the case to the authorities.

Avoid opening links and attachments from unknown senders

Get the habit of writing URLs to your browser. Do not open attachments unless you expect a file from one. If a suspicious message comes in, call the sender.

Do not put confidence in the message content!

Phishing attacks often have convincing logos in emails, links to real company web sites, legitimate phone numbers, and email signatures from real employees. But if the message urges you to act (especially actions such as sending sensitive information, clicking on a link or downloading a response), be careful and look for other signs of phishing attacks.

Do not hesitate to communicate directly with the company where the message comes from; Because these companies can verify the authenticity of the message and at the same time they may not even be aware that their company names are used for fraud.

Take Advantage of Artificial Intelligence (AI)

Cyber criminals are adapting email tactics to bypass gateways and spam filters, so it’s critical to have a solution in place that detects and protects against spear phishing attacks. Une next-gen technologies like machine learning and ai that doesn’t solely rely on looking for malicious links or attachments. U

Use Multi-Factor Authentication (MFA)

Multi-factor authentication, or two-factor authentication and two-step verification, provides an additional layer of security above and beyond username and password, such as an authentication code, thumbprint or retinal scan.

Train your Employees to Recognise and Report Phishing Attacks

Train your users about spear phishing attacks by making it a part of security-awareness training. Ensure using phishing simulation for emails, voicemail and SMS for the users to recognise cyberattacks and test the effectiveness of your education and assess the weakest assets to attacks.

Run Proactive Incident Investigations

Handle regular investigations using Incident Response Technologies to detect emails with content known to be popular with cybercriminals, including subject lines related to password changes and security alerts. Because your employees can miss reporting a suspicious activity within their inboxes.



This blog had been published at


RSS Teknoloji Haberleri