Spear Phishing A Law Enforcement and Cross-Industry Perspective (EUROPOL, EC3 report, November, 2019)

This report is the result of the joint Advisory Group Meeting from March 26 – 27 2019, gathering over 70 representatives from private industry at Europol to discuss the threat of spear phishing. It contains the meeting’s main conclusions and recommendations for organisations on how to combat this threat effectively on a technical, educational, as well as operational level. It concludes that spear phishing is still the main attack vector for cybercriminals to target their victims and shows that there are a number of readily available solutions that can help minimise the risk of a successful attack. At the same time, this report highlights some of the challenges related to information sharing and the investigation of spear phishing attacks, as well as what can be done collectively to improve the situation.

"Phishing can be the vector for fraud, extortion, espionage or other malicious cyberattacks. It is an attack with a variety of sophistication and purpose used by malicious actors ranging from script kiddies and fraudsters to serious organised criminal groups and nation states."

It is often trivial to gather extensive knowledge about an organisation’s staff. LinkedIn, for instance, is an online professional networking platform and counts over 610 million users in over 200 countries worldwide11. Websites such as these (in addition to other, country-specific equivalents) provide large amounts of information about individuals and organisations of interest to potential attackers. Through connections to other members, role descriptions and publicly available CVs, it is possible to gain a detailed understanding not only about an organisation’s staff structure, but also identify potential interests of staff employees, which may subsequently be exploited. LinkedIn, in combination with tools such as hunter.io, additionally provides a significant resource for identifying corporate email addresses, which can then be targeted by spear phishing emails. Finally, data leaks of email addresses and passwords which are offered in batches on the dark web can provide an easy access for the criminal if basic cybersecurity hygiene practices are not followed. As will be shown in the following section, getting the target to trust the sender of the email is key to carrying out a successful spear phishing attack. And what sender is more trustworthy for employees than their own company’s CEO?