AI may be a new weapon against spear phishing attacks

Jan. 22, 2018
AI has the ability to learn and analyze an organization’s unique communication pattern and flag inconsistencies

Cybercriminals are infamous for launching pervasive attacks, targeting a maximum number of people, victimizing anybody that takes the bait. Virtually everyone knows these attacks well, having received emails from an overseas banker or a widow of a wealthy oil tycoon offering a ridiculous amount of cash for something small in return from you. The creative examples of phishing attacks are endless, even health medications swearing to offer the fountain of youth or rejuvenating your love life for free in exchange for providing a credit card number.

There is a different form of cybercriminal that takes an “enterprise approach” to getting what they want. Similar to business-to-business sales functions, they focus on a smaller number of targets, with an objective of obtaining an exponentially greater payload with extremely personalized and sophisticated techniques. These pointed attacks, labeled spear phishing, leverage impersonation of an employee, a colleague, your bank, or popular web service to exploit their victims. Spear phishing has steadily been on the rise, and according to the FBI, this means of social engineering has proven to be extremely lucrative for cybercriminals. Even more concerning, spear phishing is incredibly elusive and difficult to prevent with traditional security solutions. 

The most recent evolution in social engineering involves multiple premeditated steps. Cybercriminals hunt their victims instead of targeting company executives with a fake wire fraud out of the blue. They first infiltrate their target organization from an administrative mail account or low-level employee, then use reconnaissance and wait for the most opportune time to fool the executive by initiating an attack from a compromised mail account. Here are the abbreviated steps commonly taken in these spear phishing attacks and solutions to stop these attackers in their tracks. 

Step 1: Infiltration

Most phishing attempts are glaringly obvious for people that receive cybersecurity training (executives, IT teams) to sniff out. These emails contain strange addresses, bold requests, and grammar mistakes that often invoke deletion. However, there is a stark increase in personalized attacks that are extremely hard to sniff out, especially for people who aren’t trained. Many times, the only blemish to this attack is that malicious email links will be spotted only if you hover over them with your mouse. Highly trained individuals would spot this flaw but not common employees. 

This is why cybercriminals find easier targets at first. Mid-level sales, marketing, support and operations folks are the most usual. This initial attack is aimed to steal a username and password. When the attacker has control of this mid-level person, if they haven’t enabled multi-factor authentication (and many organizations do not), they can log into the account. 

Step 2: Reconnaissance

At this stage, cybercriminals will normally monitor the compromised account and study email traffic to learn about the organization. Often times, attackers will setup forwarding rules on the account to prevent logging in frequently. Analysis of the victim’s email traffic allows the attacker to understand more about the target and organization: who makes the decisions, who handles or influences financial transactions, has access to HR information, etc. It also opens the door for the attacker to spy on communications with partners, customers, and vendors.

This information is then leveraged for the final step of this spear phishing attack.

Step 3: Extract Value

Cybercriminals leverage this learned information to launch a targeted spear phishing attack. They often send customers fake bank account information precisely when they are planning to make a payment. They can trick other employees to send HR information, wire money or easily sway them to click on links to collect additional credentials and passwords. Since the email is coming from a legitimate (albeit compromised) account like a colleague, it appears totally normal. The reconnaissance allows the attacker to precisely mimic the senders’ signature, tone and text style. So, how do you stop this attacker in his tracks? Thankfully there is a new hope and well-known methods for organizations to implement to thwart these cybercriminals from having their way, a multi-layer strategy.

End of the Line for Spear Phishing

There are three things that organizations should be employing now to combat spear phishing. The two obvious ones are user training and awareness and multi-factor authentication. The last and newest technology to stop these attacks is real-time analytics and artificial intelligence. Artificial intelligence offers some of the strongest hope of shutting down spear phishing in the market today.  

AI Protection

Artificial intelligence to stop spear phishing sounds futuristic and out of reach, but it’s on the market today and attainable for businesses of all sizes, because every business is a potential target. AI has the ability to learn and analyze an organization’s unique communication pattern and flag inconsistencies. The nature of AI is it becomes stronger, smarter and endlessly more effective over time to quarantine attacks in real-time while identifying high-risk individuals within an organization. For example, AI would have been able to automatically classify the email in the first stage of the attack as spear phishing, and would even detect anomalous activity in the compromised account, subsequently stopping stage two and three. It also has the ability to stop domain spoofing and authorized activity to prevent impersonation to customers, partners and vendors to steal credentials and gain access to their accounts. Since attackers are not only targeting executives and leaders, but mid-level employees that aren’t trained as well in security to gain entry, AI has now become the guardian that every organization at risk can benefit from. It is a statistical fact that not everyone is going to catch these, and having an ever watching system in place to catch these elusive threats stops spear phishing from becoming anything more than a phishing email to an organization’s employees.


It is absolutely essential for organizations to implement multi-factor authentication (MFA). In the above attack, if multi-factor authentication was enabled, the criminal would not have been able to gain entry to the account. There are many effective methods for multi-factor authentication including SMS codes or mobile phone calls, key fobs, biometric thumb prints, retina scans and even face recognition. You would think that since multi-factor authentication is fairly widely known to be successful in preventing credential theft and identity impersonation that most organizations would be implementing this by now, but you would be wrong. Many organizations have failed to deploy multi-factor authentication and too often find themselves using it after a major loss or reputation bashing after a breach.

Targeted User Training

Employees should be trained regularly and tested to increase their security awareness of the latest and most common attacks. Historically, the HR department, marketing, sales and operations mid-level employees haven’t been trained extensively about security threats, but that needs to change now. Cybercriminals know this as well, and are successfully taking advantage of this to gain initial entry. Every person in an organization that has a login needs to be trained on what to look for and what to do when they spot a threat.  Staging simulated attacks for training purposes is the most effective activity for prevention and promoting an employee mindset of staying on alert. Tracking who falls for the simulated threat, and training them personally on what they need to know is a tactical remedy to get your organization prepared for spear phishing and other forms of attacks.

For employees who handle financial transactions or are higher-risk, it’s worth giving them fraud simulation testing to assess their awareness. Most importantly, training should be companywide and not only focused on executives, as once these attackers are in the gates, without something like real-time artificial intelligence defense and multi-factor authentication in place, it will be extremely difficult to prevent fraud.  

About the Author:

Asaf Cidon is Vice President, Content Security Services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Barracuda Sentinel utilizes artificial intelligence to learn the unique communications patterns inside customer organizations to identify anomalies and guard against these personalized attacks. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.