The story of nearly every notable data breach in recent memory begins in pretty much the same way: Once upon a time, someone got spear phished… Whether it’s a government agency or a Fortune 500 company, spear phishing is a serious threat, with losses topping $675 million in 2017 in the US alone.

The phishing attacks that incite data breaches take diverse forms. Sometimes the root of a data breach is a malicious link in an email from a hacker. On other occasions, a victim might make a wire transfer or divulge confidential information to the hacker, thinking he or she was a colleague or business partner.

Spear phishing is one of the most successful methods of cyberattack. It is a reliable way for malicious actors to access protected digital assets. One countermeasure involves increasing employee awareness about spear phishing through training. This is a good idea, but often these programs focus only on senior executives. In reality, there are other common spear phishing targets within the organization. To make anti-spear phishing as effective as possible, it’s worth exploring who the preferred targets tend to be and adapting security controls to meet the level of risk.

Spear phishing: A brief recap

Spear phishing is a highly targeted, personalized form of phishing. Whereas a phishing email attack is broad in scope and largely undifferentiated (e.g. “I am a Prince with a frozen bank account…”), spear phishing emails are written by attackers who know the target—their name, where they work, what they do, their interests and hobbies, etc.—so that they can be believable in impersonating a colleague or business acquaintance.

For example, a spear phisher might research the target’s social media accounts and other online sources of information, including recent data breaches, to determine his or her role in the target organization along with his or her personal relationships within the company. The attacker can then research learn the responsibilities of these co-workers. Armed with this information, the spear phisher can send an email requesting a fraudulent wire transfer or asking them to disclose confidential information.

Normally, sensible people wouldn’t follow through on these requests, but the attackers typically contrive some sort of plausible emergency to get through the email recipient’s defenses. They might send a message on a weekend, pretending to be away from a work PC, and so forth. They might impersonate a senior executive, using the organization’s command structure to pressure the recipient into disclosing information he or she was told not to share, and so forth.

The spear phishing attacker may also engage in spoofing, tricking the email recipient into thinking the message originated from inside the organization. In some cases, this kind of attack will substitute letters or URL extensions to make a message look like it’s from one company, but actually comes from another, e.g. spelling apple.com with a capital I (as in Irving) instead of a lowercase l (as in loom).

Target group: People with access to valuable data

People with access privileges to valuable data are naturally among the most desirable targets for spear phishing attacks. This group includes senior executives, of course, but also their staff members and assistants; the latter manage the executives’ email and calendar, and therefore are just as valuable as a target.

It’s worth noting that spear phishers often engage in sequential attacks. Like, they’ll pretend to be the CEO and tell her assistant, “Remind me of my email login? I always forget…” Then, they’ll pretend to be the assistant and trick the CEO into sharing some confidential information about their travel plans. Then, they’ll impersonate an IT staff member and call the CEO to get her highly privileged network login credentials.

Finance and legal staffers are also valuable spear phishing targets. Some spear phishing attackers are looking for trade secrets or confidential information about future merger and acquisition (M&A) deals. With the latter, they can engage in insider stock trading. They might be interested in stealing product designs or strategic plans, and selling them to rogue nation states.

Impersonating financial and legal executives offers an effective way to trick employees into sending money into fake overseas corporate accounts. For instance, if the attacker knows that a particular deal is being negotiated by the legal department, he or she can impersonate the CEO and request a confidential wire transfer to “complete the deal.” The recipient would probably assume the request was legitimate. How else would anyone know about a hush-hush M&A deal?

Target group: High-risk behavior or non-functional attributes

Sometimes, it’s non-executive employees who are most at risk for spear phishing. A person lacking in tech savvy or someone unfamiliar with cybersecurity policy is a great candidate for email-based trickery. How does the attacker know who these people are? One way is to mine information stolen in earlier data breaches – such as the recent Facebook and Google+ breaches – and use that to identify targets or impersonate their coworkers. Alternatively, the attacker can scour social media and find employees who are careless or naïve enough to publicly post information about their work that can help the phisher spoof their identities.

Bring Your Own Device (BYOD) policies create opportunities for spear phishing attackers as well. If the phisher knows an organization has a BYOD policy, he can use the “I’m on my personal phone and can’t log in” excuse to get another employee to share log in credentials. A lack of clear policies further helps the phishing attacker. An organization with loose controls over fund wire transfers, for example, is exposed to the risk of fraud from spear phishers who impersonate senior executives and request money wires.

Target group: External people and entities

Non-employees are also susceptible to spear phishing attacks. In fact, employees of contractors and other external entities are even more vulnerable to being tricked into sharing information about another company. An IT outsourcing vendor, for example, could provide a spear phisher with a potent set of targets for attacks that yield network login credentials, e.g. the target might not be able to verify the identity of a person requesting network access.

Spear phishing is a serious cyber security threat. As so many devastating incidents have shown in the recent past, it’s one of the most effective means of penetrating a hacking target. Policies and anti-phishing tools need to be well-tuned to the nuances of this insidious form of attack. Not all employees have the same level of vulnerability, however. It is a good practice to assess spear phishing susceptibility by employee role and adjust countermeasures accordingly.

Moreover, in addition to user training, organizations must broaden their email filtering capabilities to encompass internal email scanning. The reason is that hackers are increasingly harvesting Office 365 credentials (through standard phishing attacks or by purchasing them on the dark web) in order to send targeted spear phishing emails from perfectly legitimate accounts. In these scenarios, it’s virtually impossible for the recipient to detect the fraud, no matter how well trained or vigilant they are.