Spear phishing is a targeted form of phishing where adversaries conduct online research about individuals and organizations to craft personalized phishing emails. These emails often contain malicious attachments or links that install malware when opened. Spear phishing has a high success rate because targets are more likely to open emails that appear personalized. Organizations can reduce spear phishing risks through security awareness training for employees and technical defenses like firewalls, software patching, and limiting administrative privileges.
Targeted social engineering attacks in the form of spear phishing emails, are often the main gimmick used by attackers to infiltrate organizational networks and implant state- of-the-art Advanced Persistent Threats (APTs). Spear phishing is a complex targeted attack in which, an attacker harvests information about the victim prior to the attack. This infor- mation is then used to create sophisticated, genuine-looking attack vectors, drawing the victim to compromise confidential information. What makes spear phishing different, and more powerful than normal phishing, is this contextual information about the victim. Online social media services can be one such source for gathering vital information about an individual. In this paper, we characterize and examine a true positive dataset of spear phishing, spam, and normal phishing emails from Symantec’s enterprise email scanning service. We then present a model to detect spear phishing emails sent to employees of 14 international organizations, by using social features extracted from LinkedIn. Our dataset consists of 4,742 targeted attack emails sent to 2,434 victims, and 9,353 non targeted attack emails sent to 5,912 non victims; and publicly available information from their LinkedIn profiles. We applied various machine learning algorithms to this labeled data, and achieved an overall maximum accuracy of 97.76% in identifying spear phishing emails. We used a combination of social features from LinkedIn profiles, and stylometric features extracted from email subjects, bodies, and attachments. However, we achieved a slightly better accuracy of 98.28% without the social features. Our analysis revealed that social features extracted from LinkedIn do not help in identifying spear phishing emails. To the best of our knowledge, this is one of the first attempts to make use of a combination of stylometric features extracted from emails, and social features extracted from an online social network to detect targeted spear phishing emails.
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanControlScan, Inc.
Phishing is a top organizational security vulnerability because it involves the exploitation of human weakness. This ControlScan National Cyber Security Awareness Month presentation teaches employees how to spot and combat a phishing attack.
Targeted social engineering attacks in the form of spear phishing emails, are often the main gimmick used by attackers to infiltrate organizational networks and implant state- of-the-art Advanced Persistent Threats (APTs). Spear phishing is a complex targeted attack in which, an attacker harvests information about the victim prior to the attack. This infor- mation is then used to create sophisticated, genuine-looking attack vectors, drawing the victim to compromise confidential information. What makes spear phishing different, and more powerful than normal phishing, is this contextual information about the victim. Online social media services can be one such source for gathering vital information about an individual. In this paper, we characterize and examine a true positive dataset of spear phishing, spam, and normal phishing emails from Symantec’s enterprise email scanning service. We then present a model to detect spear phishing emails sent to employees of 14 international organizations, by using social features extracted from LinkedIn. Our dataset consists of 4,742 targeted attack emails sent to 2,434 victims, and 9,353 non targeted attack emails sent to 5,912 non victims; and publicly available information from their LinkedIn profiles. We applied various machine learning algorithms to this labeled data, and achieved an overall maximum accuracy of 97.76% in identifying spear phishing emails. We used a combination of social features from LinkedIn profiles, and stylometric features extracted from email subjects, bodies, and attachments. However, we achieved a slightly better accuracy of 98.28% without the social features. Our analysis revealed that social features extracted from LinkedIn do not help in identifying spear phishing emails. To the best of our knowledge, this is one of the first attempts to make use of a combination of stylometric features extracted from emails, and social features extracted from an online social network to detect targeted spear phishing emails.
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanControlScan, Inc.
Phishing is a top organizational security vulnerability because it involves the exploitation of human weakness. This ControlScan National Cyber Security Awareness Month presentation teaches employees how to spot and combat a phishing attack.
Phishing is one of the oldest tricks in the book of hackers. But as old as it might be, phishing still remains the most lucrative tool for cybercriminals. In this presentation, we will help you understand about phishing and tell you how you can avoid phishing attacks.
It is contain knowledge about Phishing and how it happen. It also contain knowledge about how we can prevent that. So this slide contain all the basic knowledge about phishing and anti-phishing.
Learn about the different types of Phishing Attacks; like Content-Injection, and MiTM attack, that can target you and your organization.
To know more about phishing prevention, read our in-depth article "How to Prevent a Phishing Attack? 17 Easy Hacks for Administrators"
https://blog.syscloud.com/phishing-attack/
Phishing is one of the oldest tricks in the book of hackers. But as old as it might be, phishing still remains the most lucrative tool for cybercriminals. In this presentation, we will help you understand about phishing and tell you how you can avoid phishing attacks.
It is contain knowledge about Phishing and how it happen. It also contain knowledge about how we can prevent that. So this slide contain all the basic knowledge about phishing and anti-phishing.
Learn about the different types of Phishing Attacks; like Content-Injection, and MiTM attack, that can target you and your organization.
To know more about phishing prevention, read our in-depth article "How to Prevent a Phishing Attack? 17 Easy Hacks for Administrators"
https://blog.syscloud.com/phishing-attack/
CERT STRATEGY TO DEAL WITH PHISHING ATTACKScsandit
Every day, internet thieves employ new ways to obtain personal identity people and get access
to their personal information. Phishing is a somehow complex method that has recently been
considered by internet thieves. First, the present study aims to explain phishing, and why an
organization should deal with it and its challenges of providing. In addition, different kinds of
this attack and classification of security approaches for organizational and lay users are
addressed in this article. Finally, the CERT strategy – which relies on three principles of
informing, supporting and helping- is presented to deal with phishing and studying some antiphishing.
Phishing is a form of social engineering in which a cyber
threat actor poses as a trustworthy colleague, acquaintance,
or organization to lure a victim into providing sensitive
information or network access. The lures can come in the
form of an email, text message, or even a phone call. If
successful, this technique could enable threat actors to gain
initial access to a network and affect the targeted
organization and related third parties. The result can be a
data breach, data or service loss, identity fraud, malware
infection, or ransomware.
Phishing is basically the type of cybercrime in which attackers imitates a real person through institution and mimics that they are sending message from an authorized organization and then take the details of the user personal identity, credit card details and any type of bank information and will breach the personal details of the user. There are many free tools to help in web based scams. Basically the free anti phishing toolbars in the below given study were examined many example in which Spoof Guard anti phishing toolbar is sufficient and good at identifying fraudulent sites and can also gave false positive results. Earth Link, Google, Net Craft, Cloud Mark and Internet Explorer seven detected many of the fraudulent or fake sites even more than 15 of fraudulent sites are false positive. Trust Watch, eBay and Netscape correctly found the fraudulent websites and by the combination of the toolbars the expected outcome came out. Dr. Lalit Pratap | Mr. Shubham Sangwan | Monika "E-Mail Phishing Prevention and Detection" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-3 , April 2022, URL: https://www.ijtsrd.com/papers/ijtsrd49541.pdf Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/49541/email-phishing-prevention-and-detection/dr-lalit-pratap
What threatens us in cyberspace?
Phishing: typology of threats
Phishing protection
What is anti-phishing protection?
Website protection
Company and online fraud protection
Conclusion
Learn more about cyber attacks and find out how to secure yourself - https://hacken.live/2BwYyOo
A Novel Approach for Phishing Emails Real Time Classification Using K-Means A...IJECEIAES
The dangers phishing becomes considerably bigger problem in online networking, for example, Facebook, twitter and Google+. The phishing is normally completed by email mocking or texting and it frequently guides client to enter points of interest at a phony site whose look and feel are practically indistinguishable to the honest to goodness. Non-technical user resists learning of anti-phishing technic. Also not permanently remember phishing learning. Software solutions such as authentication and security warnings are still depending on end user action. In this paper we are mainly focus on a novel approach of real time phishing email classification using Kmeans algorithm. For this we uses 160 emails of last year computer engineering students. we get True positive of legitimate and phishing as 67% and 80% and true negative is 30 % and 20%. which is very high so we ask same users reasons which I mainly categories into three categories, look and feel of email, email technical parameters, and email structure.
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...IJNSA Journal
Emails are used every day for communication, and many countries and organisations mostly use email for official communications. It is highly valued and recognised for confidential conversations and transactions in day-to-day business. The Often use of this channel and the quality of information it carries attracted cyber attackers to it. There are many existing techniques to mitigate attacks on email, however, the systems are more focused on email content and behaviour and not securing entrances to email boxes, composition, and settings. This work intends to protect users' email composition and settings to prevent attackers from using an account when it gets hacked or hijacked and stop them from setting forwarding on the victim's email account to a different account which automatically stops the user from receiving emails. A secure code is applied to the composition send button to curtail insider impersonation attack. Also, to secure open applications on public and private devices.
This white paper examines the need for strong authentication and explores the return on investment that can be realized in order to help organizations move toward more effective security.
Email threats are always changing and evolving, so it's critical to remain on top of them. Here are the most frequent email threats today, as well as tips on how to recognize and manage them.
This report solely belongs to Symantec. Credit is due to all original authors and no financial gain was made from the report, Simply sharing for educational purposes,
The FBI is the lead federal agency for investigating malicious cyber activity by criminals, nation-state adversaries, and terrorists. To fulfill this mission, the FBI often develops resources to enhance operations and collaboration. One such resource is the FBI’s Internet Crime Complaint Center (IC3) which provides the public with a trustworthy and convenient mechanism for reporting information concerning suspected Internet-facilitated criminal activity. At the end of every year, the IC3 collates information collected into an annual report.
Credit is due to all original authors and no financial gain was made from the blog, Simply sharing an interesting story for educational purposes,
This guide aims to help journalists understand their rights at protests and avoid arrest when reporting on these events. It summarizes the legal landscape and provides strategies and tools to help journalists avoid incidents with police and navigate them successfully should they arise. Credit RCFP.Org
Credit is due to all original authors and no financial gain was made from the blog, Simply sharing an interesting story for educational purposes,
Verizon Publishes 2020 Data Breach Investigation Report (DBIR) With Insights From Thousands of Confirmed Breaches. Verizon's 2020 Data Breach Investigations Report (DBIR) is the most extensive yet, with 81 contributing organizations, and more than 32,000 incidents analyzed (of which 3,950 were confirmed breaches). Credit:Verizon
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
A Resource Guide to theU.S. Foreign Corrupt Practices Act
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
The FTC takes in reports from consumers about problems they experience in the marketplace. The reportsare stored in the Consumer Sentinel Network (Sentinel), a secure online database available only to lawenforcement. While the FTC does not intervene in individual consumer disputes, its law enforcementpartners – whether they are down the street, across the nation, or around the world – can use informationin the database to spot trends, identify questionable business practices and targets, and enforce the law.
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
Below is a list of consumer reporting companies updated for 2019.1 Consumer reporting companies collect information and provide reports to other companies about you. These companies use these reports to inform decisions about providing you with credit, employment, residential rental housing, insurance, and in other decision making situations. The list below includes the three nationwide consumer reporting companies and several other reporting companies that focus on certain market areas and consumer segments. The list gives you tips so you can determine which of these companies may be important to you. It also makes it easier for you to take advantage of your legal rights to (1) obtain the information in your consumer reports, and (2) dispute suspected inaccuracies in your reports with companies as needed.
Advisory to Financial Institutions on Illicit Financial Schemes and Methods R...- Mark - Fullbright
Transnational criminal organizations (TCOs), foreign fentanyl suppliers, and Internet purchasers located in the United States engage in the trafficking of fentanyl, fentanyl analogues, and other synthetic opioids and the subsequent laundering of the proceeds from such illegal sales.
The mission of the IC3 is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity, and to develop effective alliances with industry partners. Information is analyzed and disseminated for investigative and intelligence purposes, for law enforcement, and for public awareness.
Credit is due to all original authors and no financial gain was made from the report, Simply sharing an interesting story for educational purposes,
This report is built upon analysis of 41,686 security incidents, of which 2,013 were confirmed data breaches. We will take a look at how results are changing (or not) over the years as well as digging into the overall threat landscape and the actors, actions, and assets that are present in breaches. Windows into the most common pairs of threat actions and affected assets also are provided.
The Federal Trade Commission (FTC or Commission) is an independent U.S. law enforcement agency charged with protecting consumers and enhancing competition across broad sectors of the economy. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. The FTC also has authority to enforce a variety of sector specific laws, including the Truth in Lending Act, the CAN-SPAM Act, the Children’s Online Privacy Protection Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, and the Telemarketing and Consumer Fraud and Abuse Prevention Act. This broad authority allows the Commission
to address a wide array of practices affecting consumers, including those that emerge with the development of new technologies and business models.
Sentinel sorts consumer reports into 29 top categories. Appendices B1 – B3 describe the categories,providing details, and three year figures. To reflect marketplace changes, new categories or subcategories are created or deleted over time.The Consumer Sentinel Network Data Book excludes the National Do Not Call Registry. A separate report about these complaint statistics is available at: https://www.ftc.gov/reports/national-do-not-call-registry-data-book-fiscal-year-2018. The Sentinel Data Book also excludes reports about unsolicited commercial email.Consumers can report as much or as little detail as they wish when they file a report. For the Sentinel Data Book graphics, percentages are based on the total number of Sentinel fraud, identity theft, and other report types in 2018 in which consumers provided the information displayed on each chart.Reports to Sentinel sometimes indicate money was lost, and sometimes indicate no money was lost.Often, people make these reports after they experience something problematic in the marketplace,avoid losing any money, and wish to alert others. Except where otherwise stated, numbers are based on reports both from people who indicated a loss and people who did not.Calculations of dollar amounts lost are based on reports in which consumers indicated they lost between $1 and $999,999. Prior to 2017, reported “amount paid” included values of $0 to $999,999.States and Metropolitan Areas are ranked based on the number of reports per 100,000 population.State rankings are based on 2017 U.S. Census population estimates (Annual Estimates of the Resident Population: April 1, 2010 to July 1, 2017). Metropolitan Area rankings are based on 2016 U.S. Census population estimates (Annual Estimates of the Resident Population: April 1, 2010 to July 1, 2016).This Sentinel Data Book identifies Metropolitan Areas (Metropolitan and Micropolitan Statistical Areas)with a population of 100,000 or more except where otherwise noted. Metropolitan areas are defined by Office of Management and Budget Bulletin No. 15-01, “Revised Delineations of Metropolitan Statistical Areas, Micropolitan Statistical Areas, and Combined Statistical Areas, and Guidance on Uses of the Delineations of These Areas” (July 15, 2015). Numbers change over time. The Sentinel Data Book sorts consumer reports by year, based on the date of the consumer’s report. Some data contributors transfer their complaints to Sentinel after the end of the calendar year, and new data providers often contribute reports from prior years. As a result, the total number of reports for 2018 will likely change during the next few months, and totals from previous years may differ from prior Consumer Sentinel Network Data Books. The most up to date information can be found online at ftc.gov/data
A credit score is a three -digit number that predicts how likely you are to pay back a loan on time, based on information from your credit reports.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only. - Medical identity theft has existed in various forms for decades, but it was in 2006 that World Privacy Forum published the first major report about the crime. The report called for medical data breach notification laws and more research about medical identity theft and its impacts. Since that time, medical data breach notification laws have been enacted, and other progress has been made, particularly in the quality of consumer complaint datasets gathered around identity theft, including medical forms of the crime. This report uses new data arising from consumer medical identity theft complaint reporting and medical data breach reporting to analyze and document the geography of medical identity theft and its growth patterns. The report also discusses new aspects of consumer harm resulting from the crime that the data has brought to light
The FTC takes in reports from consumers about problems they experience in the marketplace. The reports are stored in the Consumer Sentinel Network (Sentinel), a secure online database available only to law enforcement. While the FTC does not intervene in individual consumer disputes, its law enforcement partners – whether they are down the street, across the nation, or around the world – can use information in the database to spot trends, identify questionable business practices and targets, and enforce the law.
Since 1997, Sentinel has collected tens of millions of reports from consumers about fraud, identity theft, and other consumer protection topics. During 2017, Sentinel received nearly 2.7 million consumer reports, which the FTC has sorted into 30 top categories. The 2017 Consumer Sentinel Network Data Book (Sentinel Data Book) has a vibrant new look, and a lot more information about what consumers told us last year. You'll know more about how much money people lost in the aggregate, the median amount they paid, and what frauds were most costly. And you'll know much more about complaints of identity theft, fraud, and other types of problems in each state, too. The Sentinel Data Book is based on unverified reports filed by consumers. The data is not based on a consumer survey. Sentinel has a five-year data retention policy, with reports older than five years purged biannually.
This guide addresses the steps to take once a
breach has occured. For advice on implementing a
plan to protect consumers’ personal information, to
prevent breaches and unauthorized access, check
out the FTC’s Protecting Personal Information: A
Guide for Business and Start with Security: A Guide
for Business.
*Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
Consumer Sentinel Network Data Book for January 2016 - December 2016- Mark - Fullbright
FTC Consumer Sentinel Network Law enforcement's source for consumer complaints.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
The Indian economy is classified into different sectors to simplify the analysis and understanding of economic activities. For Class 10, it's essential to grasp the sectors of the Indian economy, understand their characteristics, and recognize their importance. This guide will provide detailed notes on the Sectors of the Indian Economy Class 10, using specific long-tail keywords to enhance comprehension.
For more information, visit-www.vavaclasses.com
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
How to Split Bills in the Odoo 17 POS ModuleCeline George
Bills have a main role in point of sale procedure. It will help to track sales, handling payments and giving receipts to customers. Bill splitting also has an important role in POS. For example, If some friends come together for dinner and if they want to divide the bill then it is possible by POS bill splitting. This slide will show how to split bills in odoo 17 POS.
Ethnobotany and Ethnopharmacology:
Ethnobotany in herbal drug evaluation,
Impact of Ethnobotany in traditional medicine,
New development in herbals,
Bio-prospecting tools for drug discovery,
Role of Ethnopharmacology in drug evaluation,
Reverse Pharmacology.
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxEduSkills OECD
Andreas Schleicher presents at the OECD webinar ‘Digital devices in schools: detrimental distraction or secret to success?’ on 27 May 2024. The presentation was based on findings from PISA 2022 results and the webinar helped launch the PISA in Focus ‘Managing screen time: How to protect and equip students against distraction’ https://www.oecd-ilibrary.org/education/managing-screen-time_7c225af4-en and the OECD Education Policy Perspective ‘Students, digital devices and success’ can be found here - https://oe.cd/il/5yV
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
1. SPEAR PHISHING
UNDERSTANDING THE THREAT
SEPTEMBER 2013
Due to an organisation’s reliance on email and internet connectivity, there is no guaranteed way to
stop a determined intruder from accessing a business network. Reliance on email and the internet
brings vulnerabilities which must be recognised and addressed appropriately. The IT security
community has assessed that Spear Phishing is a remarkably effective cyber-attack technique and its
use to gain access to business systems is unlikely to decline in the near future.
This paper describes how Spear Phishing attacks work, the likelihood of being targeted and the steps
an organisation can take to manage the business risks.
Key points
Spear Phishing is a targeted form of email deception.
Most targeted attacks against an organisation begin with a Spear Phishing email.
Spear Phishing has a high success rate and its use as a means of attack looks set to continue.
Successful attacks can result in exploitation or compromise of individual devices and
organisational networks. This can have significant implications for an organisation.
The risk from Spear Phishing can be reduced through good educational awareness and
effective technical controls.
Disclaimer
Reference to any specific commercial product, process or service by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation
or favour by CPNI. The views and opinions of authors expressed within this document shall
not be used for advertising or product endorsement purposes.
To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage
(whether direct, indirect or consequential, and including but not limited to, loss of profits or
anticipated profits, loss of data, business or goodwill) incurred by any person and howsoever
caused arising from or connected with any error or omission in this document or from any
person acting, omitting to act or refraining from acting upon, or otherwise using the
information contained in this document or its references. You should make your own
judgment as regards use of this document and seek independent professional advice on your
particular circumstances.
Page 1 of 7
2. Introduction
Phishing is a form of email deception used by a range of adversaries in an attempt to obtain sensitive
information or cause disruption to an organisation’s business operations. Spear Phishing is a more
targeted version of phishing where an adversary conducts online reconnaissance against an individual
or organisation in order to construct an email which appears to be of significant interest to those
targeted. The email is designed to persuade the target individual to open a file attachment or click on
a website link. In doing so, malicious software (or malware) is executed, designed to exploit and
compromise the individual’s IT device.
Spear Phishing email attacks are persistent and often have a high success rate as they are able to
bypass traditional security defences and exploit vulnerable software.
Reconnaissance
An adversary will use information sources (free and subscription-based) to build background
knowledge of a target individual or organisation. This information found online is called Open Source
Intelligence (OSINT) and the process of collecting it is known as Reconnaissance. Organisations share
information across the internet via their public website or social media sites. This information may be
published by themselves or by their business partners. An adversary will aim to acquire as much
information about a target as possible, as the more information they have available, the greater the
chance the Spear Phishing email will be seen as a legitimate communication.
Research conducted as part of CPNI OSINT studies included investigation into online information
relating to a number of participating companies. This highlighted the information an adversary would
look to obtain when conducting a Spear Phishing attack; this information includes staff contact details,
organisation charts, job descriptions and technical information such as IP addresses, project names
and software versions in use within an organisation.
To construct a successful Spear Phishing attack, an adversary requires a target email address. Using
search engines, an adversary will look for online profiles which contain contact details of a target
individual. If an email address is not within the contact information, an adversary may attempt to
guess the address, by trying a common format such as firstname.surname@companyx.com.
Adversaries will often send Spear Phishing emails to a range of plausible email addresses to determine
a valid address. CPNI has published guidance, entitled Online Reconnaissance – How your internet
profile can be used against you which describes this scenario in further detail.1
1
See CPNI guidance on Online Reconnaissance www.cpni.gov.uk/advice/cyber/online-reconnaissance
Page 2 of 7
3. Construction and delivery of Spear Phishing emails
After conducting online reconnaissance an adversary now has enough information to create a Spear
Phishing email. The email will include all information discovered through the reconnaissance phase
and contain an attachment or website link which is of interest to the target. The adversary will then
attempt to alter the email to make it appear as if the message was sent from a trusted contact of the
target individual. An email which appears to be from a trusted contact increases the likelihood of a
successful compromise.
Attachments contained within Spear Phishing emails will appear as a common file type such as .rtf or
.pdf. The name will be of interest to the target, e.g.’ pay award.PDF’ When the attachment is opened
embedded malicious software is executed designed to compromise the target’s IT device.
Figure 1 - Top spear-phishing email attachment file types (Trend Micro 2012)
Links within Spear Phishing emails will direct a target individual to a website which, when accessed,
will execute malicious software. A common method for an adversary to disguise a compromised
website is to compress the address, so it is displayed in a shortened format such as
http://tinyurl.com/companyx. Websites which are compromised appear authentic by having the same
design and structure as legitimate websites. It is possible that a legitimate website could also be
compromised further increasing the chance of a successful attack.
When malicious software is successfully accessed via an attachment or website link, it will seek to
exploit vulnerabilities in a target operating system or web browser. Figure 2 describes the stages in a
Spear Phishing attack and how the adversary will look to exploit an organisation’s network.
Page 3 of 7
4. Stages involved in a Spear Phishing attack
CPNI uses the Cyber Kill chain developed by Lockheed Martin2 as a representation of the stages
involved in an effective cyber-attack. For a Spear Phishing attack to be successful, the following stages
are present:
Reconnaissance: In the reconnaissance phase an adversary browses websites, downloads
PDFs, and learns about the internal structure of a target organisation.
Weaponization: In this phase the adversary places malicious code into a delivery vehicle such
as an attachment or website.
Delivery: The delivery phase involves the transfer of malicious content to the target in some
form. In the case of Spear Phishing this is via email.
Figure 2 - Spear Phishing stages
2
www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-DrivenDefense.pdf
Page 4 of 7
5. Business impact
Successful Spear Phishing attacks can have significant implications for organisations. The more serious
implications of becoming the target of a cyber-attack are listed below:
Theft of sensitive information: An adversary may steal commercially useful information such as trade
secrets, merger and acquisition plans, engineering designs, software codes or details of research
programmes. This could result in the loss of competitive advantage and have significant financial
consequences.
Sabotage: Once on a network, an adversary may seek to delete or alter data with the aim of disrupting
business operations. Depending on the access level gained, they could make changes to company
data, log files, configuration settings, and user passwords or alter code for applications running on the
network.
Secondary use of compromised machines: An adversary can use a compromised machine to conduct
attacks against other individuals or networks. This may involve sending Spear Phishing emails to
contacts from a compromised user account. This can cause reputational damage to the initial victim
organisation, as its customers and suppliers will initially attribute these communications to the
sending organisation.
Incident response and recovery costs: Investigating and recovering from a compromise can be
expensive and time-consuming. The cost will depend on how long the network has been
compromised and the steps needed to prevent the risk of an adversary simply being able to reestablish a presence on the network.
Page 5 of 7
6. How to defend against Spear Phishing attacks
In order to successfully reduce the risks posed by Spear Phishing attacks, organisations should seek to
achieve a good balance of educational awareness and effective technical controls. CPNI endorses the
Critical Security Controls3 as an effective way to protect against Spear Phishing and other cyberattacks. This section presents the most relevant Critical Security Controls for defending against Spear
Phishing Security awareness training: An important measure in defending against Spear Phishing attacks is
ensuring a high level of security awareness amongst staff. Employees should be educated about the
changing nature of Spear Phishing attacks. An adversary will look to exploit an employee’s lack of
security awareness. There are some questions an employee can ask when receiving an email with a
suspicious link or attachment.
Who is the sender? Can the employee verify it has definitely come from them and is it
someone from whom they would expect to receive emails on this subject?
Is the style of writing consistent with the sender? Does anything appear unusual about the
tone, spelling or urgency of the email?
Is the request out of the ordinary (e.g. to open a file the user wasn’t expecting)?
Have other colleagues received a similar email?
These questions can begin to help employees identify Spear Phishing emails. When training staff, it is
important to make them aware of company policies regarding communications and security.
Organisations can look to design their own training package to educate their staff on the threat posed
from Spear Phishing using commercially available tools. In the training package, if a user does click on
a link or open an attachment in a test email, they will be taken through to a training area that helps
them gain a better understanding, making them less susceptible to attacks in the future. A number of
anti-phishing tools are also available to alert users to phishing content contained within websites and
emails. These tools offer an advanced level of protection above traditional IT security defences.
Boundary defence: Malicious code generated from Phishing emails will exploit systems which can
reach across the internet.
To control the flow of traffic through network borders, organisations should use multi-layered
boundary defences such as firewalls, proxies, demilitarised (DMZ) perimeter networks, and networkbased IPS and IDS. It is also critical to filter both inbound and outbound traffic to look for any
anomalies that may suggest malicious activity.
3
Critical Security Controls www.cpni.gov.uk/advice/cyber/Critical-controls/
Page 6 of 7
7. Controlled use of administrative privileges: Organisations should aim to minimise administrative
privileges and only use administrative accounts where required. If a privileged user opens a malicious
attachment or accesses a website with embedded malicious content, malware will be deployed to
their IT system with the adversary assuming administrative privileges. With elevated rights, an
adversary can install malware and establish a foothold within the network faster than with standard
user access rights.
Continuous vulnerability assessment and remediation: Most Spear Phishing emails aim to exploit
known vulnerabilities in software. It is therefore vital to ensure that all systems and software are up to
date with the latest patches4. Patches should be applied to software that is most likely to be targeted
by an adversary. It is important that all types of infrastructure are patched, including laptops, mobile
devices, desktops, servers, switches and routers. This way, even if a compromised attachment or link
is opened, the malware will not be executed.
For further information on any of the topics discussed in this paper visit www.cpni.gov.uk
4
A patch is a small piece of software that is used to correct a problem with a software program or an operating
system.
Page 7 of 7