Article Summary
In this article, the author explains the concept behind spear phishing, which is the method through which hackers access people’s passwords and other private information. Martin starts by making a simple yet profound statement – “When it comes to cyber-attacks, the most common method of gaining access to your passwords and information may surprise you- it is just by asking for it” [4].
While hackers can use a myriad of sophisticated techniques to access a person’s information, tricking users into sharing their information in an easy and straightforward way of achieving the same objective. According to Martin, spear phishing is an “e-mail communication or some other type of electronic communications scam that targets individuals, organizations or businesses through content that looks like it is coming from a legitimate source” [4]. Through this technique, cybercriminals social engineer e-mails to appear like legitimate sources.
Social engineering is an insidious art that hackers use to manipulate people by using domains and content that look like trusted sources. In this case, a hacker will send a malicious link or document leading to a fake login site and the moment users enter their credentials, such details are stolen and used for other criminal activities. Martin notes that this phishing technique, in some cases, is so accurate to the originals that even the most careful users have fallen victim [4]. The author gives a recent example of spear phishing by two Russian hackers, APT28 and Sandworm Team, aimed at European governments.
These groups have also targeted other organizations and media outlets in Russia, Germany, and France. According to Martin, targets in European governments are normally sent malicious e-mails containing links that appear to direct to government websites [4]. Additionally, the sender of such e-mails appears legitimate and once the targeted users click on the links, they are prompted to change their passwords and enter other personal information, which is then stolen.
Importance of this Issue
It is important to understand the issue of spear-phishing because its impacts on individuals and corporations are enormous. According to Gendre, the cost of a breach that occurs through spear-phishing is stunning as it goes beyond monetary loss [1]. Once one employee becomes a victim of this trick, the entire corporation is at risk. The affected companies suffer reputational damage once the public learns about such phishing attacks. A reputable brand could be perceived as untrustworthy for customers, shareholders, and even employees [1]. This aspect could lead to huge financial losses because negative brand effects from a phishing attack can potentially affect a company’s market capitalization leading to huge losses.
Intellectual property loss is another possible effect of spear-phishing on companies through stolen trade secrets, formulas, customer lists, and costly research. Gender posits, “For firms like technology, defense, or pharmaceutical a single design or drug patent could easily represent millions, or billions, in sunk research costs” [1]. Such losses are unprecedented and they can lead to the closure of a business. Additionally, other direct costs are associated with spear phishing, such as fines levied by regulatory bodies when such incidences occur.
This issue is also important due to its pervasive and widespread nature. Many people are likely to become victims of spear phishing because the tricks are difficult to detect. According to cyber security professionals, Kelley and Kathuria, even the most “security-savvy” users may be exposed to honed spear-phishing techniques [2]. Such phishing tricks are highly targeted and personal to be easily detected. In a study to assess the susceptibility of Internet users to spear-phishing campaigns, Lin et al. found out that out of 100 participants, 43 percent fell victim to simulated spear-phishing e-mails [3]. Swinhoe notes that the effectiveness of “spear-phishing comes down to a combination of both technical and psychological reasons” [5]. Such high levels of susceptibility to these scams are worrying, hence the importance of understanding this issue.
I found this article interesting and informative at the same time because the author uses simple and straightforward language to explain the concept of spear phishing. Martin discusses this pervasive cybercrime threat in a way that can be understood even by people not trained in Internet security [4]. Additionally, the author gives relatable examples of how this technique is being used in contemporary times.
The example of how Russian groups are using spear-phishing to infiltrate European governments and media outlets is relatable and it underscores the pervasive nature of this technique. The issue of phishing arose in the course material under the topic of Information Attacks and Defenses. Specifically, the sub-topic of “Social Engineering Problem” explains the underlying principles of spear phishing. According to the course material, social engineering involves tricking an individual into giving personal credentials, which are then used to compromise a system’s security.
The information provided in the main article, course materials, and other references used in this paper indicates the pervasive nature of spear phishing. In the course material, different examples of phishing by e-mail are given, such as the one involving a fraudulent e-mail allegedly sent by Chase Bank’s customer service to an account owner seeking identity verification. Gender gives a similar example but uses FedEx company [1].
Additionally, Swinhoe gives a similar example involving a CEO of a certain company being asked to make fraudulent payments to hackers [5]. Lin et al. [3] and Kelley and Kathuria [2] give steps that could be used to identify and prevent spear-phishing campaigns, which is also part of the course materials.
From the knowledge gained from this task, I think that the problem of spear phishing is likely to continue affecting millions of Internet users and causing huge losses to companies. The outcome of elections in different countries around the world could be subject to spear-phishing campaigns. Given the psychological aspect associated with this technique, it may be difficult to educate and create public awareness for Internet users to avoid being scammed. In the future, I believe spear phishing is going to make Internet usage a dangerous affair, especially when communicating sensitive information. However, I also believe that spear-phishing techniques are not foolproof and with careful and deliberate efforts to ensure safe Internet usage, the involved stakeholders could come up with ways of addressing this problem.
Conclusion
I have learned that spear phishing is a pervasive cybercrime technique that hackers use to steal personal information, especially user names and passwords, from unsuspecting Internet users. The interesting thing about this trick is that Internet users willingly, albeit unknowingly, divulge their personal information to cybercriminals. It is clear that the implications of spear phishing are enormous and far-reaching for the affected individuals, companies, and governments. Nevertheless, despite the widespread susceptibility of Internet users to spear-phishing scams, stakeholders could create ways of mitigating this problem for safe Internet usage.
Works Cited
Gendre, Adrien. “The Corporate Impact of Phishing.” Vade Secure. 2015. Web.
Kelley, Diana, and Seema Kathuria. “Spear Phishing Campaigns – They’re Sharper Than You Think.” Microsoft. 2019. Web.
Lin, Tian, et al. “Susceptibility to Spear-Phishing E-mails: Effects of Internet User Demographics and E-mail Content.” ACM Transactions on Computer-Human Interaction (TOCHI), vol. 26, no. 32, 2019, pp. 1-28.
Martin, Nicole. “How Cyber Attacks Use Spear Phishing Scams to Steal Your Information.” Forbes. 2019. Web.
Swinhoe, Dan. “What is Spear Phishing? Why Targeted E-mail Attacks are so Difficult to Stop.” CSO. 2019. Web.