By Drew Fox Jordan • December 28, 2021

    Lets Go Phishing: A Closer Look At Email Impersonation

    Lets Go Phishing: A Closer Look At Email Impersonation

    Today, 95% of all cyberattacks launched on businesses start with a spear-phishing email. What's more, spear-phishing attacks have increased year-over-year as bad actors have discovered more and more ways to outwit email users (busy people) and defenses (legacy technology). The motivations behind attacks are straightforward: deploy malware or defraud the target of money or credentials. The tactics, however, vary greatly and are becoming increasingly more challenging to spot.

    What is spear-phishing?

    Various terms describe inbound email attacks ranging from spoofing, phishing, spear-phishing, and whaling. While some people use the terms interchangeably, they are, in fact, different. Here's a breakdown of the terminology:

    • Email spoofing - creating email messages with a forged sender address or display name. It is common for spam and phishing emails to use spoofing tactics to mislead a target about the communication's origin.
    • Phishing - a fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by pretending to be a trusted entity. Phishing is typically bulk in nature and not personalized for an individual target. While phishing attacks can be successful, most are often easy for clued-up individuals or email security policies to detect.
    • Spear-phishing - advanced phishing attacks directed at specific individuals or companies. Similar to phishing attacks, these intend to trick people into sending a wire transfer or clicking on a malicious link. In contrast to bulk phishing, spear-phishing attackers often gather and use personal information about their target to increase their probability of success. Because they are more sophisticated in their construction and convincing in execution, spear-phishing emails are harder to catch. They work best when they impersonate someone the target trusts.
    • Whaling - a highly targeted phishing attack aimed at senior executives or employees with access to precious assets. Whaling emails are more sophisticated than generic phishing emails as they often target chief ("c-level") executives and board members.

    What does a spear-phishing email look like?

    Lets Go Phishing: A Closer Look At Email Impersonation

    Spear-phishing emails have four key components:

    • Target - spear-phishing attacks are directed at specific employees or groups, often those with access to money, sensitive systems, or influential people. For example, accounts payable departments and executive administrators are frequent targets. Criminals may also target new hires and other "quick-to-click" employees, exploiting their desire to act fast on any requests or assignments. Criminals don't have to search long and hard to identify suitable targets. Valuable data is abundant online, from Linkedin career updates to employee details on company websites.
    • Intent - in both the email subject line and body copy, the attacker will use deliberate language to establish context and intent; they want the recipient to do something now. Fraudsters will initiate everyday conversations in sophisticated attacks but not mention any requests. This approach invests time developing a legitimate dialogue and establishing trust with the target over multiple emails. As a result, any subsequent requests﹘like a wire transfer﹘will appear authentic and usually get the target to complete the desired action.
    • Impersonation - at the heart of every spear-phishing attack is impersonation. The attacker pretends to be a person or entity that the target knows and trusts. The spectrum of impersonation tactics is broad, ranging from display name and domain manipulations to the specific language used within the body of the email. In general, criminals often impersonate an influential or powerful person﹘like a CEO﹘or a trusted company﹘for example, Microsoft ﹘in order to establish a sense of legitimacy or urgency. Tessian refers to sophisticated impersonation attacks as advanced impersonation spear-phishing.
    • Payload: spear-phishing emails may contain some form of "cargo" to engage the target. Basic impersonations include obvious links and attachments that appear legitimate but are malicious. Advanced impersonation tactics are more discreet; they rely on text alone to elicit the desired action. For example, "please wire payment to this account: 123-4567" or "Can you please buy 10 Apple gift cards for our clients and send me the voucher codes as reference ASAP?" These advanced threats (aka zero payload attacks) can easily slip through traditional email defenses by omitting conspicuous payloads.

    Advanced impersonation spear-phishing falls into three categories.

    Category Definition Who is being impersonated?

    Internal Individual

    Attacker Impersonates a colleague/individual from the same organization People with power and influence: CEO, Finance Director, Vice Presidents, etc.
    External Partner Attackers impersonates a third-party with whom the target works Suppliers, donors, vendors, contractors
    Service Provider Attacker impersonates an enterprise service provider Major service and infrastructure providers: O365, Microsoft, and Amazon


    Why is spear-phishing so dangerous?

    Spear-phishing isn't tricky to pull off. Attackers don't need capital, special equipment, or a particularly advanced skillset. Instead, they need to invest time into researching a target, which is easy with the proliferation of public profiles on platforms like LinkedIn.

    Spear-phishing is particularly effective because busy professionals are easy to trick on email. Today, the average worker spends nearly a third of their working week on email, sending and receiving 124 emails every day. The pressure to be constantly connected and on the go means that employees are more likely to be distracted and make mistakes on email. A shift towards becoming a mobile workforce hasn't helped the situation either. Verizon research has shown that people are significantly more susceptible to social attacks received on mobile devices due to mobile design and people's tendency to multitask on mobile devices.

    Due to phishing scams, businesses globally have lost $12.5B over the past five years. Advanced impersonation spear-phishing has emerged as one of the most popular and successful attack methods on organizations – small and large – worldwide. Rewards for attackers are high, and the damage to organizations can be catastrophic, resulting in wire payment fraud, file sharing, credential theft, and eventual systems takeover.

    How do you prevent advanced impersonation spear-phishing?

    Most organizations rely on Secure Email Gateways (SEGs) to keep inboxes safe. To identify and prevent inbound threats, SEGs commonly employ machine layer methods:

    • Payload inspection like scanning URLs and attachments. This can leave organizations vulnerable to zero-payload attacks and falsely increase user confidence.
    • Spam and bulk-phishing prevention. Focusing on past known attacks and basic email characteristics (e.g., domain authentication), these fail to prevent advanced impersonation, which is low-volume and crafted to evade such systems.
    • Rules to prevent impersonation. Rules can prevent basic impersonation attacks (e.g., detecting newly registered domains, different sender/reply-to addresses, etc.).

    While SEGs can block malware and bulk phishing attacks, rule-based solutions cannot stop advanced impersonation attacks and are incapable of detecting external spoofs.

    Up Next: What To Know About Phishing Awareness Training

    Posts by Topic

    see all