As U.S. political theater continues to play out on a global stage, the phrase "spear phishing" has popped up several times. A 2016 joint report from the U.S. Department of Homeland Security and the FBI detailed how malicious hackers targeted a "political party," meaning the Democratic National Committee. They used spear phishing to do so. But what exactly is spear phishing?
Phishing is one of those nautically related terms that we use within the context of malicious internet behavior (see also: trolling). You've probably heard of it. But here's a recap, just in case: Phishing refers to the practice of sending out messages to targets in the hope of tricking them into revealing sensitive information. A phishing scheme might try to fool people into sharing credit card information or a Social Security number. Phishing attempts can be general and cast a wide net across many potential targets.
Spear phishing is a subset of phishing that relies on a more focused approach. A malicious actor will target specific groups of people, such as employees of a particular company or, as was the case with the DNC, members of a political organization. Spear phishers refine their messaging to fit their targets to increase the odds that they'll get a hit. With phishing, you can be less specific in your language since you're trying to cast such a wide net. With spear phishing, you want to cater your attack to your intended targets.
There's yet another variant of spear phishing that is even more specific called whaling. Whaling involves targeting high-level executives or important officials directly. This attack can be personalized to create the best possible chance for a hit. Ultimately, the goal is the same as that of phishing or spear phishing — the attacker wants to convince the target to divulge some otherwise confidential or protected information. It happened to Mattel back in 2015, when a finance executive at the toy company received a plausible-sounding request for payment from a new Chinese vendor, in the amount of $3 million. The exec wired the money to China and found out shortly thereafter that the request was bogus. But the money was long gone.
In any of these cases, the approach an attacker might use can vary from instance to instance. A common ploy is to pose as a technical professional who requests that the target install some malicious software (malware) that's disguised as a security update or patch. The malware might spy on the computer activity of the target. It could include software called a keylogger, which keeps track of every key pressed by the user. This is a way to get usernames and passwords from a target.
Attacks can sometimes leverage emotional responses. Messages might indicate the target's computer has been hit with malware. Or it might include an offer for a business deal that sounds too good to be true. Attackers frequently depend upon how people can react impulsively when they are anxious or when someone appeals to the target's self-interest.
The more precise the strike, the more likely the attacker will use information about the target to an advantage. This might involve the attacker posing as someone the target knows and trusts.
Phishing falls under a broader category of deception called social engineering. This is a set of tools that people use to deceive targets into giving away more information than they would otherwise consent to. It's not that different from the skills a magician or mentalist might use in an act, only in the case of social engineering the goal isn't to entertain an audience.
To protect yourself against spear phishing and other social engineering, it's best to employ critical thinking. Verify the communications you receive are originating from trusted sources. Never share confidential information over open, unencrypted channels. And don't install any updates or programs that come from an unknown source without first checking to make sure it's legitimate.