One of the most prolific cyber-attacks in recent times is spear phishing, a subtype of phishing that mainly targets companies' senior management in order to obtain greater benefits compared to massive traditional phishing campaigns.
This type of phishing is more complex and requires more planning, as it is necessary to obtain a lot of information about the victim and their company's processes in order for the deception to work. The first step is to select the target, usually top executives who have valuable information or who have the permissions needed to perform important banking transactions.
In a spear phishing attack, the victim is sometimes spied on for weeks or months. During this period their habits and preferences are studied and their emails are analyzed to find out who they communicate with, as well as the type of conversations they have. In addition to information about the victim, their company's operation is also studied: its management processes, its terminology, the organization chart and how decisions are made. After this period of analysis, there is a complete personal dossier about the victim and the company that will make it possible to subsequently create the most realistic hook possible.
When the time comes, the cybercriminals pose as online consumers, banking institutions, family members, colleagues, partners and even superiors. Most of the emails are designed in such a way that even the sender's address and content seem, at first glance, deceptively real. For example, they may include information relevant to the recipient's personal or business interests, to increase the likelihood of the recipient responding. Sometimes they take advantage of extraordinary situations or short-term junctures such as a superior's vacation, a new contract with a supplier or client... so that the victim must make decisions that involve sending information or money, which is the attack's ultimate objective.
Despite the complexity of this type of attack with regard to hook preparation and planning time, spear phishing attacks the most fragile link in cybersecurity: human beings. This simplifies the technical requirements needed, in comparison to attacks designed to crack a system. In other words, cheating a person is easier (and faster) than cheating a system.
The credibility of the email, which is the essential element of successful phishing, is one of the advantages of spear phishing, thanks mainly to that specific preparation and prior analysis of the victim that makes it possible to deploy a highly prepared attack. The email elements that must be controlled are:
- Address of origin: The email's origin is forged, always being someone related to the organization or an acquaintance. For example, a supplier, a customer's accountant or a colleague from another branch. The email address is usually hacked or is very similar to the original, so that it does not raise the sender's (the recipient’s) suspicion.
- Subject of the message: The subjects are always attractive, attempting to get the user's attention and having a certain sense of novelty and urgency. However, they also use common subjects that make the sender (the recipient) believe they are real emails.
- Content: This is where the attack puts into play all the analysis carried out on the victim for weeks or months. To be credible, the company's own terminology is used, and reference is made to internal processes, people or information that only someone from within the organization could have. Sometimes the sender’s (the recipient's) own way of writing is copied, as well as the signature and structure that they usually use in their emails.
The thing that the attacker wants the victim to do is included in this basic content: sending a document, making a bank transfer, providing certain information.... That is, a few tablespoons of realism accompanied by a pinch of social engineering to generate the persuasion that makes it possible to obtain what is wanted from the victim.
But all this would not work without a final ingredient: the comfortable, everyday routine that our brain likes so much. Imagine that top executive opening their inbox and starting to download their dozens of regular and daily emails. Nobody's head, including theirs, has unlimited cognitive resources. A systematic evaluation of all the information that reaches us is not possible, including that which reaches us through online communication.
So how can we approach the decision of whether what is reaching us is false or real? Our brain has a solution for this: to work using biases. In other words, by means of mental shortcuts that allow us to make decisions quickly and without much analysis. In this case, we function using what is called truth bias, which is simply the tendency to consider as true whatever information closely resembles what we have previously seen to be true.
In other words, the emails that this top executive receives are basically never false, so he or she will assume that those that arrive today are not false, either. Because despite what television series tell us, we are really clumsy when it comes to detecting lies and tend to believe others more often than we should. This clearly explains why fraud is one of the most prolific crimes. In the analog world, we can consider certain indicators that make us think that someone may be lying to us. We can analyze whether what they say is credible to us, but additionally, whether it is also accompanied by equally credible nonverbal behavior.
Some facial expressions, certain gestures or postures can make us think that the person is lying to us (although, as we say, we are clumsy at detecting lies and these nonverbal indicators do not work as well as we are shown in television series). But in the digital world we don't have these added indicators. We have a text or an image that is a perfect copy of the original, some words or terms that correspond to what we expect, so it is very difficult for us to distinguish the truth from a lie.
And this is the big problem of the internet, to be able to distinguish a copy from the original, the true from the false.