One of the most prolific cyber-attacks in recent times is spear phishing, a subtype of phishing that mainly targets companies' senior management in order to obtain greater benefits compared to massive traditional phishing campaigns.
Spear phishing is a type of phishing that is more complex and requires more planning, as it is necessary to obtain a lot of information about the victim and their company's processes in order for the deception to work. The first step is to select the target, usually top executives who have valuable information or who have the permissions needed to perform important banking transactions.
In a spear phishing attack, the victim is sometimes spied on for weeks or months. During this period their habits and preferences are studied and their emails are analyzed to find out who they communicate with, as well as the type of conversations they have. In addition to information about the victim, their company's operation is also studied: its management processes, its terminology, the organization chart and how decisions are made. After this period of analysis, there is a complete personal dossier about the victim and the company that will make it possible to subsequently create the most realistic hook possible.
When the time comes, the cybercriminals pose as online consumers, banking institutions, family members, colleagues, partners and even superiors. Most of the emails are designed in such a way that even the sender's address and content seem, at first glance, deceptively real. For example, they may include information relevant to the recipient's personal or business interests, to increase the likelihood of the recipient responding. Sometimes they take advantage of extraordinary situations or short-term junctures such as a superior's vacation, a new contract with a supplier or client... so that the victim must make decisions that involve sending information or money, which is the spear phishing attack's ultimate objective.
Despite the complexity of this type of attack with regard to hook preparation and planning time, spear phishing attacks the most fragile link in cybersecurity: human beings. This simplifies the technical requirements needed, in comparison to attacks designed to crack a system. In other words, cheating a person is easier (and faster) than cheating a system.
The credibility of the email, which is the essential element of successful phishing, is one of the advantages of spear phishing, thanks mainly to that specific preparation and prior analysis of the victim that makes it possible to deploy a highly prepared attack. The email elements that must be controlled are:
The thing that the attacker wants the victim to do is included in this basic content: sending a document, making a bank transfer, providing certain information.... That is, a few tablespoons of realism accompanied by a pinch of social engineering to generate the persuasion that makes it possible to obtain what is wanted from the victim.
But all this would not work without a final ingredient: the comfortable, everyday routine that our brain likes so much. Imagine that top executive opening their inbox and starting to download their dozens of regular and daily emails. Nobody's head, including theirs, has unlimited cognitive resources. A systematic evaluation of all the information that reaches us is not possible, including that which reaches us through online communication.
Our brain has a solution for this: to work using biases. In other words, by means of mental shortcuts that allow us to make decisions quickly and without much analysis. In this case, we function using what is called truth bias, which is simply the tendency to consider as true whatever information closely resembles what we have previously seen to be true.
In other words, the emails that this top executive receives are basically never false, so he or she will assume that those that arrive today are not false, either. Because despite what television series tell us, we are really clumsy when it comes to detecting lies and tend to believe others more often than we should. This clearly explains why fraud is one of the most prolific crimes. In the analog world, we can consider certain indicators that make us think that someone may be lying to us. We can analyze whether what they say is credible to us, but additionally, whether it is also accompanied by equally credible nonverbal behavior.
Some facial expressions, certain gestures or postures can make us think that the person is lying to us (although, as we say, we are clumsy at detecting lies and these nonverbal indicators do not work as well as we are shown in television series). But in the digital world we don't have these added indicators. We have a text or an image that is a perfect copy of the original, some words or terms that correspond to what we expect, so it is very difficult for us to distinguish the truth from a lie.
And this is the big problem of the internet, to be able to distinguish a copy from the original, the true from the false.