Spearphishin' stories

The ruses they use to reel you in, revealed

A fisherman uses a red lure to catch red fish, much like cyber attackers use personalized emails to trick victims into activating malware.

Spearphishing is the use of fake emails to trick a person or small group into activating malware or revealing their network credentials. With attackers constantly creating more clever ruses, defending against spearphishing requires not only knowing the newest tricks, but rethinking how we use email in the first place.

The long, slow commute was weighing on the staff in the D.C. office. Then a little glimmer of hope hit their inboxes.

It was an email about a new Metro station. The details were in an attachment. In their excitement, the road-weary workers never even hesitated to open it.

They should have.

The email was a test from the company's cybersecurity consultants to see how susceptible the staff was to spearphishing – a cyber-attacking tactic that uses fake, manipulative and highly personalized emails to deliver malware and steal people's usernames and passwords. The result was bleak: Eighty percent fell for it.

Spearphishing is a go-to tactic for every type of cyber attacker, from from penny-ante crooks pilfering bank accounts to nation-state operatives trying to wrest control of power plants. They like it because it's cheap, easy and effective: With just an email account, a few facts about the victim and a good story, they can sit back and watch as even cyber-savvy people download dangerous files and cough up their credentials.

“When cyber criminals spend a little time researching the company or the individual they’re targeting and tailor their email to that, then the success rates increase exponentially,” said Fabian Franco, digital forensics and incident response lead at Raytheon Cyber Protection Solutions. “And the trickiest ones are when they make it very tailored, from incorporating your company’s logos to using an email address that’s very similar to a colleague’s.”

Here, to show how cunning cybercriminals have become, Raytheon’s security experts discuss some eye-popping real-world examples – and how to defend against them.


The ruse: A résumé lands in an inbox at an energy company. The body of the email makes the candidate look legit; it uses industry lingo like “PLC based control systems,” mentions specific equipment and even works in some common job-applicant jargon like “multi-skilled controls engineer with experience in hands-on project based work.”

The reality: That email, and many more like it, were part of an extensive international hacking campaign to infiltrate energy infrastructure in the U.S. and other countries. In this case, the attachment activated a vulnerability in Windows that hackers often use to steal the victim’s credentials, according to the U.S. Computer Emergency Readiness Team.

The defense: Don’t accept or open files from unconfirmed sources. With documents like job applications, it's best not to accept them through traditional email at all, said Mark Orlando, chief technology officer at Raytheon Cyber Protection Solutions.

"A good defense is to use an intermediary system – a web portal or file uploader,' he said. "They can validate the input, actually check the file to make sure it's a Word document and scan it for malicious content. "

This screen capture shows the body of an e-mail used to deliver malware in a hacking campaign against energy companies in several countries including the United States.
This screen capture shows the body of an email used to deliver malware in a hacking campaign against energy companies in several countries including the United States. The sender was pretending to be a job applicant and even cited makes and models of specific equipment. (United States Computer Emergency Response Team image) 


The ruse: A catering company gets a call from a potential customer. After a few questions, the customer agrees to send an order by email. The caterer opens the attachment.

The reality: There was no order. The attachment had one purpose: injecting malware to probe the caterer’s computer network and harvest customer credit card numbers. This one is especially sneaky because the attacker primed the target by calling ahead. In a similar case, a customer complaint emailed to a national restaurant chain turned out to be a trap set by international hacking group Fin7, now implicated in attacks on more than 100 U.S. companies, particularly restaurants, casinos and hotels. Through malware embedded in phony complaints and fake reservations, they mapped the companies’ networks, obtained credentials and stole millions of customers’ credit and debit card numbers, then sold them for profit.

The defense: Businesses should use email services with built-in malware protection and keep operating systems and security software up to date. But even the best defenses can fail, Orlando said, which is why segmenting networks is so important.

"You really have to keep your sensitive data – point-of-sale systems, PII – you need to keep that separate form the system you use to receive orders or send email," he said. 

And, as with the job applications, a web portal for orders can reduce the risk of opening an infected attachment.


The ruse: In the thick of the 2016 Democratic presidential primary race, more than 30 employees of Hillary Clinton’s campaign receive an email with a link to a Microsoft Excel spreadsheet titled “hillary-clinton-favorable-rating”.

The reality: The link, according to federal prosecutors, had nothing to do with good poll results. Instead, it directed to a site created by the GRU, a Russian military intelligence agency. It was one of several spearphishing ruses used in the hack of the Democratic National Committee, the Democratic Congressional Campaign Committee and the Clinton campaign.

The defense: Political campaigns are "a lightning rod for social engineering and other attacks," Orlando said, so training staff to resist social engineering is vital. In addition, multifactor authentication can help keep credential thieves out of user accounts. Also, staff should use separate devices and accounts for personal and professional communications, so that a breached personal account doesn’t become the whole campaign’s problem.

Photo illustration showing a shadowy figure at a computer screen
Cyber attackers have become better than ever at posing as colleagues, customers, job-seekers and others to trick victims into opening malware-infected attachments. 


The ruse: A company gets an email that appears to be from a business partner, reporting a problem with a product. Attached is a document claiming to contain test results.

The reality: The email was actually from an IP address controlled by a hacker in China, U.S. prosecutors said in an indictment against two alleged operatives. The attachments the attackers used in the years-long campaign typically installed keylogging software to steal usernames and passwords, prosecutors said.

The defense: Once again, alternative file-sharing methods and two-factor authentication go a long way.


The ruse: An employee gets an email warning him that his virtual private network certificate – something he needs to work remotely – will expire in a few days.

The reality: Had the employee clicked on the link, it would have led him to a legitimate-looking page designed to steal his username and password. But he didn’t; he passed it along and it wound up in the hands of analysts at Forcepoint, a commercial cybersecurity company jointly owned by Raytheon. They confirmed his suspicion.

The defense: This one is a case study in training and awareness. If the company makes clear to employees how they send communications — such as telling them they’ll never send them a link to a login page — employees will have a better sense of when when something is amiss, Orlando said. 

"Training and awareness is a great weapon against those sorts of attacks," he said.

Last Updated: 11/06/2019