Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Europol on Methodology Behind Successful Spear Phishing Attacks

“Spear phishing… remains the principal attack vector for most cybercrimes,” says Europol in a new report. Sixty-five percent of targeted attack groups use it as their primary infection vector, while 32% of breaches involve phishing. During 2018, up to 0.55 % of all incoming emails were phishing emails, while phishing was present in 78% of cyber espionage incidents.

“Spear phishing… remains the principal attack vector for most cybercrimes,” says Europol in a new report. Sixty-five percent of targeted attack groups use it as their primary infection vector, while 32% of breaches involve phishing. During 2018, up to 0.55 % of all incoming emails were phishing emails, while phishing was present in 78% of cyber espionage incidents.

In its attempt to alleviate cybercrime, Europol has established advisory groups for financial services, communication providers and internet security. It meets with private sector partners in these advisory groups to discuss industry-specific cybercrime threats and trends to enable development and cooperation on joint public/private action plans.

Over two days in March 2019, 70 global financial institutions, internet security firms, and telecommunications providers met and shared insights on phishing. Now Europol has published (PDF) the outcome of that meeting in what it describes as “a unique, law enforcement-industry view on the threat of spear phishing.”

Steven Wilson, Head of Europol’s European Cybercrime Centre commented: “Spear phishing is a major enabler of some of the most serious forms of cybercrime, especially ransomware, and can cause real harm to European citizens and organisations. We can only tackle a threat of this scale effectively by working closely with key partners from across industry. The EC3 Advisory Groups and this report are a reflection of our ongoing cooperation to tackle the threat from cybercrime.”

The report largely ignores scatter-gun, spam-based phishing campaigns. These are more easily detected and blocked. A reconnaissance-based targeted attack against a specific individual is a different matter. The problem is that the reconnaissance phase is simple and requires no technical expertise. Primarily, phishers’ data comes from two sources — the target company’s own online presence, and the phish recipient’s personal information from social media accounts.

From the first, a key source is the job listings that companies post. “A typical vacancy notice,” says Europol, “not only covers detailed descriptions of the tasks and responsibilities for a specific role in the organisation in question (processes), but also often includes information about whom the job holder reports to and manages (structure), as well as what skills and knowledge are needed (software).” From social media accounts, the attackers can learn personal interests and hobbies, and relationships with colleagues within the target organization. All that then remains for a compelling spear phishing attack is the target’s email address — and this can usually be obtained, or reliably guessed, by services such as

The attack phase involves persuading the target that the email has come from a trusted source or person. This means sending it from an email address belonging to the company (the basis of BEC attacks, and the newer variant known as vendor email compromise); or from a false look-alike domain. The email itself will either seek to send the recipient to a phishing website (seeking to collect credentials or deliver malware), persuade the recipient to download and open a malicious file, or it will include a weaponized attachment that the recipient is persuaded to open. 

Forty-eight percent of malicious attachments are now Office documents and will contain fileless macro-based attacks that leave no malware file on the endpoint that can be detected by anti-malware signature engines. In this type of attack, the entire purpose of the well-constructed and well-researched email is to persuade the recipient to accept the email and allow any macros to run.

Europol believes that defense against spear phishing is a combination of technical solutions and user awareness. The technical solutions are a combination of policy and software. Policy solutions include approaches that disable uncertified macros and enforce two-factor authentication; but also include more complex policies such as establishing a Sender Policy Framework (SPF) in the DNS, and implementing Domain Message Authentication Reporting and Conformance (DMARC). The latter is a widely recommended solution to phishing (or more specifically, phishing that involves the company’s own brand), but has had patchy take-up so far.

Europol’s own Internet Organised Crime Threat Assessment 2019 report (PDF), published in October 2019) states, “according to one study, DMARC adoption is non-existent at 80% of organisations.” Without widespread adoption, DMARC offers little protection against the wider phishing problem.

The report does not highlight any specific anti-phishing software solutions, but does list some of the elements that go into such products and can also be directly used by companies. These include blocking known malicious IP addresses using domain blocking lists, and blocking emails that ask for credentials or other personal information. It also notes that “with the continuous progress made in artificial intelligence and machine learning, it may well be possible to use these techniques to help optimise successful detection and filtering of even sophisticated phishing attacks.” Noticeably, however, one school of thought suggests that machine learning will never be the best solution to spear-phishing because the data pool from which the machine learns is too small for the accuracy it needs. This is not a universally held opinion.

The user awareness solution to spear phishing is given some prominence. This lists the type of phishing clues that users can be taught to recognize. It adds that awareness and education can “be achieved by systematically attacking users with real case scenarios by means of a phishing simulation (phish your own employee) with appropriate follow-up steps taken depending on the click-through-rates (CTRs) of the staff (increasing difficulty for good performers and providing tailored guidance for others).”

There is no doubt that the ‘simulated phishing’ market for readymade products is expanding rapidly. Despite this, a survey conducted by GetApp in September 2019 found that only 30% of companies conduct any phishing testing on their staff. Furthermore, it is unclear whether improving the phish training regimes will not result in new problems. A separate report from Agari suggests that user-reported phishing attempts are rising at a far faster rate than security staff levels can adequately handle. Many of these reported phishing attempts are false positives, but all need to be investigated. With increased time pressure on the staff triaging these reports, there is increased danger that some genuine phishing attempts will slip through.

The danger in using automated phish training is that it can persuade users to report anything even slightly suspicious, even if it is not. Indeed, the Europol report stresses, “If in doubt, the email should be forwarded as an attachment to a dedicated contact point within the targeted organisation.” Since the user doesn’t necessarily know whether it is an actual phish or a targeted simulated phish, he or she seems to be flagging the email as a phish for fear of failing the test.

While there are policy, technology and training solutions that can help mitigate the spear phishing threat, it doesn’t seem as if any are foolproof. Spear phishing, already perhaps the major threat to businesses, will continue to grow. Noticeably, in the final section of the report, Europol almost seems to be getting its excuses into the body of its own report. It concerns the loss of WHOIS data following the activation of GDPR. “WHOIS information no longer being directly available for law enforcement, public safety agencies and cyber security researchers,” it warns, “significantly harms the public interest, the rule of law online and undermines efforts to investigate and prevent cybercriminal spear phishing campaigns.”

Related: Iranian Hackers Update Spear-Phishing Techniques in Recent Campaign 

Related: Facebook Awards $100,000 Prize for Spear-Phishing Detection Method 

Related: Phishing Attacks Hit the C-Suite With High Value Scams 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.


Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...