Phishing is a persistent menace to businesses of all sizes. The average cost of phishing has more than tripled since 2015 to reach a staggering $14.8 million in 2021. In 2022, phishing has reportedly doubled compared to the previous year. According to IBM, phishing now ranks as the second most expensive cause of data breaches worldwide. Phishing attacks are becoming increasingly more targeted as recent data shows that 65% of active groups of malicious actors now rely on spear-phishing as the primary infection vector. Watering hole websites (23%) come a distant second, followed by trojanized software updates (5%), web server exploits (2%), and data storage devices (1%). In this article, we will try and understand the differences between phishing and spear-phishing attacks. For more information and extensive resources on how to counter cyber threats, please refer to Managed Security Services.
What is Spear-phishing?
Phishing is a social engineering attack that uses email to trick users into giving up sensitive information or installing malicious software. Spear-phishing is a more targeted form of phishing, where the attacker operates on specialized personal knowledge about the victim and uses it to make their attacks more convincing. Three common types of spear-phishing attacks include W2 information extraction, direct deposit changes, or wire transfers.
In contrast to phishing, which involves “casting a wide net,” spear-phishing involves focusing on one or two victims at a time. Business email compromise (BEC) is an example of spear-phishing. In this scheme, the attacker poses as a senior employee at a company and requests wire transfers from the company’s bank account. The attacker may engage in social engineering techniques such as impersonating colleagues or vendors to convince employees to send money or give access to computer systems.
What is Phishing?
Phishing is a type of cybercrime in which fraudulent emails, texts, or other messages are used to lure potential victims into providing personal information. These fraudulent messages are often crafted to appear as though they are coming from legitimate companies or people. When unsuspecting users click on links or open attachments included in these messages, they may get redirected to fake websites where they will be asked to fill up forms with their usernames, passwords, credit card numbers, social security numbers and other private information. These fraudulent websites can look identical to their actual counterparts; the only difference is that the URLs themselves are carefully chosen to mimic real and trusted sites. Once a user shares their credentials or other private information with criminals – they can easily access all of your accounts.
Phishing attacks are also notorious for stealing cloud credentials of applications such as Office 365. Attackers will send you an email, requesting you to log in to their Office 365 account. The moment you log in, they will gain access to your shared files and information.
Key Differences Between Spear-phishing and Phishing
Evolution of phishing
Phishing is an online scam that attempts to steal personal information by impersonating a trustworthy source. The origins of phishing can be traced back to the late 1980s. The concept of phishing was first documented in a paper delivered to the International HP Users Group, Interex. Even in the 1990s, AOL users experienced phishing attempts where attackers posed as staff members on instant messaging systems and asked for user credentials. Since then, phishing strategies have become more sophisticated and non-generic as attackers target specific businesses with tailored messages and emails. In the past, phishing was done through spam and unsolicited email. However, modern phishing methods are more sophisticated and persistent. For instance, many phishing emails these days are virtually indistinguishable from an original piece of communication from the source they are pretending to be making it harder for users to trace phishing attempts.
The biggest difference between phishing and spear-phishing lies in the size and nature of the attack vector. In a typical non-generic phishing attack, hackers attempt to compromise a large number of accounts across an entire organization. Spear-phishing targets a specific group with a common trait, like all IT admin administrators or all newly hired employees. It could also target high-value individuals with privileged access to company systems. To protect your company from insidious phishing attacks, please contact Security Incident Response.
Technology used to carry out the attacks
Phishing scams typically rely on malicious links or files that ask you to share personal data under the guise of a legitimate provider. The “payload” attached to phishing attacks can vary, but it is usually some sort of malware that is installed onto the victim’s machine. In spear-phishing, on the other hand, there is no payload attached to the email. Instead, hackers instruct recipients to carry out an action via email campaigns.
Spear-phishing differs from generic phishing in terms of the costs involved. Because the attacker targets individuals with ready access to funds or information, the chances of falling prey to this attack (and therefore incurring its costs) are very high. Spear-phishing can cost the company money by way of direct fund transfers and loss to business reputation, as well as cause disruption to business continuity when you reset your systems and passwords.
The cost component of generic phishing is more difficult to calculate, as there are numerous victims involved. Even if each victim pays out a small sum of money, the hacker stands to gain a large cumulative sum. The difference is essentially in who bears the cost. In spear-phishing, it’s typically the company; in generic phishing attacks, it’s both consumers and business users who act on the attacker’s message. This is why it’s so important to train your employees in cyber awareness and empower them to recognize phishing tactics. Security Assessment and Testing offers extensive resources on employee cyber security training.
Post courtesy: Cyber74