This article is written by Michael Shriney from the Sathyabama Institute of Science and Technology. The article describes spear phishing, including its types, signs, and effectiveness, as well as why spear phishing is harmful. It also discusses how to safeguard oneself against it with some tips, and the difference between spear phishing and phishing and whaling.
It has been published by Rachit Garg.
Table of Contents
Introduction
Phishing is a social manipulation threat that targets people by stealing their data or forcing them to log in with their credentials and enter credit/debit card details. When an attacker convinces a victim to open an email, instant chat, or text message by misrepresenting a trustworthy entity, they are engaging in criminal behaviour. Phishing is a type of cybercrime in which cybercriminals contact individuals or groups of people by email, phone, or text messaging, acting as genuine institutions and delivering them data or information such as personal information or financial information. The information is then utilised to gain access to private accounts, resulting in stealing and loss of money. Spear phishing is a sort of phishing effort that focuses on a single individual or group of people and includes content that is likely to be of interest to them, such as current events or financial information. It is a type of social network activity in which the target individual is tricked into clicking a link in a fake email, text message, or instant chat.
Spear phishing
Spear phishing is a type of email or electronic communication fraud that is directed at a specific person, organisation, or company. It is meant to steal data for harmful reasons, however, fraudsters may also want to hack the system on the computer of a targeted person. It is designed to take important data from a specific person for malicious purposes. After obtaining information from the victim such as their friends, relatives, employment, location, and what they have done or purchased through internet shopping, the fraudsters then execute a trustworthy approach to the victims using emails or even other social media messaging applications. This is a method of obtaining personal information over the internet, which is a successful cybercrime that occurs all over the world.
How does it work
The mail is sent to an unfamiliar individual by a scammer, allegedly from a reliable source, with a link to a fake link. These emails are clearly meant to grab the attention of the reader(s). Such cyberattacks are frequently carried out by government hackers and computer hackers. Cybercriminals perform the same thing with the goal of reselling secret information to the government or private businesses. To successfully customise messages and websites, these perpetrators use uniquely created tactics and social manipulation strategies. As a result of the impact, even high-ranking targets within businesses, such as senior executives, find themselves reading emails they believed were safe to receive. This mistake allows hackers to grab the data they need to attack their networks such as friends, email addresses, geographic location and any posts.
Signs of spear phishing
The following are warning indications of spear phishing:
A catchy email subject line
Spear phishing implies that the email subject lines are targeted to compel an immediate reaction. For example, the email subject may be “urgent action necessary” with the expectation that the recipients will read it and respond immediately or react to it. If the issue catches a person’s attention, such as through urgent, threatening, or interesting wording, he/she must think carefully before clicking on any link provided and check for additional signs of a scam.
Low-quality images
Most reputable or trustworthy businesses ensure that their email signatures contain high-quality logos and signs. Cybercriminals rarely pay close attention to such things. Their primary purpose will be to assault people by fooling them. If anyone gets an unwanted email with unclear graphics, it might be a hint of something more serious. Before you click on any links in the email, be sure it is genuine and legal.
Unfamiliar tone
Spear phishing cybercriminals will utilise a victim’s known contact by trying to fool them into downloading some malicious virus. Take notice of the message’s tone and overall appearance, and compare it to past email matches from the same individual. It will be beneficial to know your limits. If the wording appears weird, avoid or block such emails or contact the sender via another method before replying to this phishing email.
Variations in links, addresses, and domains
In order to identify a suspected spear phishing effort, search for inconsistencies that appear false in email addresses, links, and domain names. It is important to compare those senders’ email addresses to earlier communications to see whether they match. Click over any relevant links in the message to view their URLs. Don’t click on it if it takes you to a fraudulent website with a fake domain name. Please report it right away.
Unusual requests
When spear phishing, scammers or attackers pose like a boss or colleagues, they may urge targets to complete a job by reminding them to fill out a form or accept unexpected requests, such as urging them to download antivirus software or any other software program. Whatever the request is, it is the victim’s responsibility to examine if its structure is reasonable, practical, and consistent with the company’s internal processes. If it looks odd, the victim has to block those websites or links.
Provisions for spear phishing under Indian Laws
Spear phishing is a type of phishing that is criminal and punishable under the Information Technology Act of 2000 in India. This statute deals with the scope of dealing with phishing, however, it also applies to spear phishing.
The following are the Sections of the legislation that apply to spear phishing:
- Section 43: Anyone who uses another person’s computer, computer system, or computer network without the owner’s permission, disturbs, downloads, or offers any help to other persons can be held guilty under this Section. Moreover, anybody who steals, hides, destroys or modifies, or encourages anyone else to steal or alter any computer source code utilised for a computer resource in order to cause damage to the person shall be obliged to pay for the damages as compensation.
- Section 66: This Section deals with the punishment for committing phishing. Anyone who engages in phishing under Section 43 of the Act is subject to imprisonment for a term that may extend to three years or a fine of up to five lakh rupees, or both.
- Section 66A: Any individual who sends any information to the victim with the intention of causing harm or damage, in which the information or data given by the culprit is false, will be punished under Section 66A of the Act.
- Section 66C: This Section deals with the penalty for identity theft. Anyone who illegally or dishonestly uses another person’s electronic signature, password, or other unique identification is punished with imprisonment for a term of up to three years and a fine of up to one lakh rupees.
- Section 66D: This Section deals with the penalty for cheating by personation using a computer resource. Whoever cheats by impersonating another person or using any communication device or computer resource gets up to three years in jail and a fine of up to one lakh rupees as a punishment.
The following Sections of the Indian Penal Code, 1860, are also applicable to spear phishing:
Section 415 (Cheating), Section 425 (Mischief), Section 464 (Forgery), Section 107 (Abetment): The Sections above can help oneself to defend against spear phishing cybercrime, which can be proven and punished under cheating, mischief, forgery, and abetment acts.
Section 415: This Section deals with cheating. Whoever cheats another person fraudulently or dishonestly urges that person to cause injury or damage to that person’s body, mind, or reputation. For example, if ‘A’ tries to defraud ‘B’ by hacking his laptop without his permission with the intention to harm him.
Section 425: This Section deals with mischief. Mischief is committed by anyone who has the intent to cause, or knows that he is likely to cause, wrongful loss or damage to the public or to any person by causing the damage to any property or any change in any property or affects injuriously. For example, ‘A’ may intentionally burn or erase important files saved on ‘B’s laptop with the intent of causing irreparable loss to ‘B.’ ‘A’ has committed mischief.
Section 464: This Section deals with forgery. Forgery occurs when a person makes a fake document or electronic record with the intention to commit fraud and dishonesty. For example, if ‘A’ takes funds from ‘B’ by hacking into his bank or credit card account.
Section 107: This Section deals with abetment. Abetment happens when a person assists or encourages another person to commit an illegal or wrongful act. For example, abetment occurs when ‘A’ helps ‘B’ in hacking ‘C’s’ laptop with the intent of harming ‘C’s reputation.
How to protect yourself from spear phishing
There are several ways for reducing the risk connected with spear phishing cyber threat:
Educate: Effective education contributes to the prevention of the harmful consequences of a phishing attempt. Educating employees and students about spear phishing and utilising free phishing simulation tools to assist them in identifying attacks on a constant basis. Increasing awareness of this cybercrime and educating the public will aid in gaining control of spear phishing.
Use proven security awareness program: Go above and beyond by using the verified security awareness program and phishing simulation tools to keep spear phishing and associated risks at the forefront of everyone’s mind in the workplace. Every victim of cybercrime must guarantee that their training is available to all users and may be consumed in a number of ways.
Monitor and measure results: Encourage and remind security executives and program ambassadors to use phishing simulation tools to check staff spear phishing awareness. Check that everyone’s programs are supporting long-term cyber security objectives and make adjustments as needed.
Spread the right word: The organisation needs to create an awareness programme that communicates about cyber security, spear phishing and social manipulation on a continuous basis. This campaign will feature strong password policies for workers as well as reminders about the threats that come in the form of files, emails and URLs.
Limit access to sensitive information: In today’s world, it’s vital to set network access restrictions that limit the use of personal devices and the sharing of information outside of the business network.
Keep software updated: Ensure that all programmes, internal software, network tools, and the operating system are safe and updated. Install anti-malware and anti-spam software to safeguard against spear phishing.
Create a security-centric culture: Policies and procedures, best practices, executive security knowledge, change management, and support should all be incorporated into a specific business culture.
Two-factor authentication: Two-factor authentication helps to safeguard login to important applications by forcing users to have two things that they must know, such as their password and username. When two-factor authentication is utilised, even if a password is acquired through a technique such as spear phishing, it is useless to attackers without the hardware device owned by the genuine user.
Password management policies: A good password management policy would prohibit employees from utilising business access credentials on fraudulent external websites. A genuine website will not allow a forged password, however, a phishing site would.
Tips to avoid a spear phishing attack
- Before you post something on the internet, have a look and see whether it appears to be misused by someone or by a scammer. If so, don’t publish it or change the settings to private, which can only be viewed by a few people.
- Use a distinct password for each account and do not use the same password for each account. Make an effort to choose clever passwords. Reusing passwords or varying passwords implies that if an attacker has access to one of the passwords, they can quickly get access to all accounts. Each password should be completely unique to each account. Passwords comprising random phrases, digits, symbols, and characters in upper and lower case are the most secure.
- Check and update the software on a regular basis. If a software prompts you to install a new update, do it straight away. The bulk of software defends against typical threats, including security software upgrades. Enable automatic software updates as often as practicable.
- Email links should not be clicked. If a company, such as a bank, gives you a link, instead of clicking on it, open your browser and go straight to the bank’s website. By moving the mouse over a link, one can see where it leads. It was a malicious email if the URL doesn’t match the link text or the email’s specified destination. Before clicking on a link that appears to be dangerous, be sure it is safe to do so.
- Install data security software (McAfee, Norton AntiVirus) on your company’s devices. Data loss due to spear-phishing attacks may be prevented with a data protection programme that combines user education on data security best practices with the installation of a data security solution.
Differentiate between spear phishing and phishing
| Spear phishing | Phishing | |
| 1. | Spear phishing is a type of phishing that is specifically targeted at a single person, group, or organisation. | Phishing emails are sent to large lists of unknowing contacts in bulk, not in a particular list or specific list. |
| 2. | Spear phishing targets both a single person and a group of individuals. | Phishing is not done to a single person, but to a large group of people at the same time. |
| 3. | The aim of spear phishing takes quite a lot of time to achieve. | Phishing takes a short period of time to send emails to various persons. |
| 4. | When compared to phishing attackers on a wide scale, it is more difficult to recognize the culprits of spear phishing. | In comparison to spear phishing, phishing attackers may be easily identified on a wide scale. |
| 5. | The risk of spear phishing is more dangerous than that of phishing. | The danger of phishing is not greater than that of phishing. |
| 6. | Spear phishing is a personal message delivered to a specific individual or group of people that seem to be a trustworthy email and cannot be detected as a scam. | Phishing emails are not personal since they are sent in bulk, and they contain spelling errors that expose their bad intentions. |
| 7. | The purpose of spear phishing is to collect personal information from a huge corporation. | The purpose of phishing is to collect personal information such as bank card data from a large number of people. |
| 8. | Spear phishing is a manual assault. | Phishing is a computer-assisted assault. |
| 9. | Spear phishing is used to destroy a company’s reputation. | Phishing is used to steal money. |
| 10. | Business-oriented malicious code distributors are spear phishing attackers. | Cyber thieves and professional hackers are among those who engage in phishing. |
Differentiate between spear phishing and whaling
| Spear phishing | Whaling | |
| 1. | Spear phishing attackers go to a certain length, not like whaling, to obtain the personal information of a low-profile individual; instead of stalking or eavesdropping, they obtain personal information by sending emails or texts in a trustworthy manner. | Whaling attackers go to great lengths to gather information about high-ranking individuals by stalking them through emails, social media and even tricking them by using spear phishing to spy on their email conversations. |
| 2. | Spear phishing attackers fool victims by delivering a fake link that instals a computer virus, allowing them to obtain all important data from the target computer or network. | Whaling attackers use high-level methods to obtain personal information from the CEO, COO, and CTO by sending emails or text messages that appear to be lawful but contain fake links. |
| 3. | Spear phishing is aimed at those with a lower profile. | Whaling is aimed at high-ranking people in the organisation. |
| 4. | The goal of spear phishing is to steal corporate financial information. | Whaling focuses on stealing administrative credentials or commercial secrets. |
| 5. | Spear phishing is an assault directed at a specific individual instead of an indiscriminate attack like ordinary phishing. | Whaling is an assault directed at a wealthy, powerful, or influential individual within a big company. |
| 6. | Spear phishing is comparable to ordinary phishing and is less costly than whaling. | Whaling is a form of spear phishing that is more costly than spear phishing. |
| 7. | People are educated about spear phishing, which helps to prevent it. | Whaling is avoided by double-checking the URL before clicking on it. |
Conclusion
Spear phishing assaults send emails that mimic a trustworthy person or domain, which is known as email spoofing. It’s also a social manipulation that uses a sense of urgency to take advantage of the victim’s desire to assist a friend or colleague. It can also be utilised through a different channel than the usual one. When there are poor grammar and spelling mistakes, or language that is different from the simulated sender’s normal language, such as a casual or formal tone, and incorrect vocabulary is considered as spear phishing. It sends emails to those who are specifically interested in the victim or the organisation. The attackers will pretend to be a reputable business, and the email will appear to be genuine.
Spear phishing attacks are so well-crafted, traditional protection cannot keep them safe. They are getting difficult to identify. Scammers can readily disclose commercially sensitive information or execute numerous acts of espionage when user data is stolen. Spear phishing attacks can deploy malware to access computers, forming massive networks known as botnets that can be used to launch denial-of-service attacks. Employees must be informed of the threats, such as the likelihood of receiving fraudulent emails, in order to fight spear phishing attacks. Technology focusing on email security, in addition to education, is required.
References
- https://www.imperva.com/learn/application-security/spear-phishing/&ved=2ahUKEwiFtozwhI73AhWARmwGHbnzDXoQFnoECD0QAQ&usg=AOvVaw2dvb4gGoe_Bnzv6i4yL2BB
- https://digitalguardian.com/blog/what-is-spear-phishing-defining-and-differentiating-spear-phishing-and-phishing
- https://www.kaspersky.co.in/resource-center/definitions/spear-phishing
- https://blog.ipleaders.in/what-is-phishing-and-how-does-it-work/#Provisions_for_phishing_under_the_Indian_laws
- https://terranovasecurity.com/spear-phishing-vs-phishing/
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.
