Skip to main content

Anatomy of the Spear Phish

On our Radar

Spear phishing is a targeted form of phishing. Rather than throwing out a net of deception and hoping that someone gets caught, the spear phisher hones in on a victim by sending convincing emails claiming to be from a co-worker, a family member, or another trusted sender. The goal? To convince their target to reveal sensitive and personal information that will lead to financial gain.

A common way for attackers to gain access to a network is through credential scraping – purchasing compromised usernames and passwords available from nefarious online websites. The attacker tries using the password across various platforms and accounts until they successfully access a user’s email or other personal accounts – then the spear phishing campaign begins.

Consider this scenario:

  1. An attacker wants to access Jane’s email to read valuable information about her financial transactions and spending patterns, and potentially manipulate her access to company finances for personal financial gain. The attacker knows they may be able to convince Jane, a financial analyst,  to trust an email from someone at the same company as her, so they go through a list of employees available on the company’s website. They find Bob.
  2. The attacker successfully finds Bob’s email password on a credential-stealing website and compromises Bob’s account.
  3. Posing as Bob, the attacker sends an email to Jane and potentially the rest of Bob’s contact list. The email may sound urgent and seem legitimate: “Urgent Message! Click here to listen: http:www.phishingsitedonotclickme.com.”
  4. Jane knows Bob, so she opens his email and clicks the bogus link. The link takes her to a site asking for her credentials before she can listen to the urgent voicemail. By entering her credentials, Jane has now given the attacker access to all the information available in her email account, as well as access to any of her other accounts that use the same password. The attacker could use Jane’s position in the finance department to trick others into sending money to the attacker’s bank account to reach their end goal of personal financial gain.
  5. If the attacker needs additional information besides what they were able to gain from Jane and Bob’s account, they may begin using the credentials they gained access to from the original email sent from Bob. The cycle continues, and the attacker gains access to more and more information as long as emailed contacts click the link in the bogus emails and share their credentials.
  6. The attacker may also place malicious automated rules on Jane’s (and other’s) email account, either deleting all incoming emails or forwarding them to an outside account.

The Takeaway

Don’t be Jane. If you have been compromised or have provided your credentials to a phishing site, immediately change your password and check the rules set up on your Inbox. How to report a phishing incident.

Don’t be Bob. Be aware of what you keep, send, and receive in your Inbox. It is also possible that the attacker might not send emails from the account for a while if their goal is simply to gain information.

 

Remember to change your password regularly and don’t use the same password across accounts. Always practice good password hygiene.

 

Additionally, browse through previous scam email attempts at Northwestern to familiarize yourself with the type of threats to look out for and gain awareness to better protect yourself from becoming a victim. Read more about phishing and how to identify a phishing email.

Leave a Comment