Cyber-attackers may increasingly target spear-phishing to the size and type of organisation, research from Microsoft 365 (M365) security vendor Hornetsecurity has confirmed.
Speaking on the vendor’s Security Swarm podcast, Hornetsecurity’s Andy Syrewicze and Romain Basset agreed that spear-phishing strategies have evolved. Previously, simply harvested CEO details or obvious, direct wire transfer requests were commonplace.
“But one of their techniques has become to use those intro emails or intro text messages as well as impersonating senior level or C level. They say things like ‘Hey, I’m stuck in a meeting all day. I need some help. Are you available?’,” Basset said.
This approach to initially establishing “some sort of relationship” and credibility also helped cyber criminals weed out likely responders. Those people who reply could then be targeted further, Basset added.
“A lot of people don’t know that initial contact fraud is basically a spear-phishing message that simply prompts for the target to respond back,” Syrewicze agreed.
He explained that the findings were from the 365 Total Protection vendor’s summer 2024 investigation of spear-phishing methods. The idea was to reveal tips and tricks that could help organisations defend themselves,
“We looked at all businesses, including large enterprises, SMB, the mid-market, and there were some interesting differences, and a couple of surprising things,” Syrewicze said. “And there’s a smishing portion of that – fishing over SMS, basically.”
An initial contact fraud SMS message can be as simple as a single word — such as ‘hey’. “Hey, like ‘oh, we’re buddies’. The idea is that a lot of people will respond,” he added.
From there a phone number can be retrieved. That can lead to other spear-phishing opportunities or reveal vulnerabilities — especially if staff aren’t adequately trained to defend themselves.
“If you don’t know this person, there should be red flags everywhere,” Syrewicze said.
Basset said that while many corporate workers today are now aware of phishing, that doesn’t mean they’re alert for the newer variations. Updating people’s knowledge is crucial.
Do you know who is communicating with you?
Another spear-phishing type is might involve impersonation of an executive or HR in a message to workers asking for personal details to complete taxation,payroll or social security requirements. This is common in the US around tax time from March to May each year, the vendor said.
“Depending on who they are going to target, they’re going to use new variations, new techniques, to get information,” noted Basset. “It’s not necessarily about eventually getting wire transfer or gift cards but about personal information.”
“These attacks aren’t even something that your security scanner is going to catch, because there’s no malicious code. There’s no malicious attachment. As far as the scanning engine is concerned, this is a legit message,” Syrewicze said.
Therefore, Hornetsecurity believes that organisations can best combat spear-phishing through training and processes. For example, to verify requests for information or funds.
The vendor offers phishing simulations as part of its security awareness service. Services like this can help organisations teach employees how to recognise and avoid spear-phishing attempts.
Hornetsecurity’s 365 Total Protection plans can bundle security awareness and compliance offerings in with backup, email security and encryption, anti-spam and anti-malware for M365 based IT environments.
Watch the full Security Swarm podcast on spear-phishing trends (35min).
( Image by Quang NGUYEN DANG from Pixabay )
