Phishing and Spear Phishing: Modern Methods Applied to Age-Old Social Engineering

It may surprise many who have observed the recent media attention of data breaches to learn that in the world of Cybersecurity, sometimes it’s the oldest attacks that find new life when they are applied in new ways. Phishing attacks, a form of social engineering where hackers try to trick their victims into revealing confidential information by impersonating as something legitimate, has been around for years. Fictional movies more than 20 years old depicted forms of phishing that are still in use today: The 1983 movie “Wargames” portrayed the fictional teenage hacker David Lightman deeply researching the original developer of the WOPR supercomputer to determine his back-door password “Joshua.” Today, the same type of spear phishing attacks used the movie, those that are directed towards a specific target through in-depth research of the individual’s background, are on the rise. While fortunately few attacks are likely to threaten a global thermonuclear war, it can be difficult to recover a company’s stability or an individual’s identity for victims of these attacks.

Phishing spreads a wide net typically through mass mailing emails that appear to be from reputable sources but actually contain links to bogus websites or that include attachments that contain viruses. Other forms use interactive voice systems to lure victims into divulging confidential information by insisting there is a problem with some ambiguous account or with the promise of saving the victim money. These attacks are easier and cheaper than ever before: it costs an attacker next to nothing to send out emails to or to have an auto-dialer call millions of unsuspecting potential victims. Only a small percentage need to fall prey for the perpetrator to cash in on the rewards: some reports put the value of an identity on the black market at $5-$16/for identity.

Unlike phishing attacks, spear phishing doesn’t rely on volume. Instead, it relies on targeting specific, high profile targets in an effort to steal their personal information. Celebrities had their compromising photos revealed stored on Apple’s iCloud service not by attacking the technology (although Apple’s password practices at the time were a contributing cause), but by using the celebrities fame and publicity to guess their weak passwords. And it’s not just celebrities – executives in companies with more that 2,500 employees have a 1 in 2.3 chance of becoming the target of a spear phishing attack. RSA, a security company, was victim to such an attack in 2011 that targeted just a mere four individuals at the company.

While an attacker is likely to obtain more valuable information through spear phishing in the form of a company’s intellectual property or higher value bank accounts when they attack a corporate executive, spear phishing does involve a bit more leg work for the attacker to research their target. The cost of a spear phishing attack is 20 times that of a phishing attack, but the average return is over 40 times. But unlike Mr. Lightman in Wargames, today’s attacker doesn’t have to scour old videos and newspaper articles. All it takes to research somebody today is a few taps of the keyboard, a few clicks of the mouse, and a leisurely stroll through the target’s social media accounts. As people put more information out on social media for the world to see, the cost of a spear phishing attack is likely to drop even further.

Traditional technology measures, such as firewalls and installing and using anti-virus software are only minimally useful to thwart a phishing or spear phishing attack. After all, the weakness is not in the technology, but in the person. While businesses should not give up their technological measures, they should also ensure that all of their employees (especially their executives) are adequately trained to avoid high-risk cyber activities and to be suspicious of unexpected emails that contain links or attachments in them and of callers that ask for their password or other personal information. Some organizations have considered staging their own phishing training exercises on their users to help reinforce annual Cybersecurity training.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.