business.com receives compensation from some of the companies listed on this page. Advertising Disclosure
World's Best Boss

Do you have the world's best boss?Enter them to win two tickets to Sandals!

Updated Jan 03, 2024

How Companies Are Detecting Spear Phishing Attacks Using Machine Learning

Andrew Goldberg, Community Member

Table of Contents

Open row

The vast majority of successful cyberattacks occur because someone inside a business or organization has made a mistake, not because of a technical defect or an oversight by the IT team. Most cyber defenses are breached through a strategy called social engineering.

Social engineering involves sleight-of-hand maneuvers and misdirection. Its purpose is to convince someone to act in a way they don’t realize will harm their business, employer or themselves. 

Spear phishing is a sophisticated social engineering tactic that relies on appeals to organizational authority. We’ll explain more about spear phishing and how machine learning is being used to fight the threat.

What is spear phishing?

Most people are familiar with phishing, which is when an attacker sends a malicious email masquerading as a legitimate message. Typical phishing emails pretend to be notifications from trusted organizations — such as banks, Amazon or Netflix — asking recipients to log in to their account to fix a supposed issue. Of course, the provided link isn’t authentic; it mimics the purported organization and sends the unsuspecting user to a bogus site owned by the bad actor. 

Cybercriminals hope their phishing emails and dummy websites are convincing enough that users enter their login credentials and other personal information; the phishers can then control user accounts, make purchases, orchestrate a data breach, extract financial information and more.  

Spear phishing is a more targeted phishing scam that preys on businesses. Instead of relying on a pretext that applies to a large group (like an email from a popular bank), spear phishers research their intended targets and tailor their malicious emails to them. For example, they may use a company logo and a CEO’s name in an email instructing a hapless employee to perform an action, such as wiring money. Because phishing emails look more sophisticated, realistic and personal, they’re more likely to trick their targets.

FYIDid you know

Although it’s essential to use social media for business, executives may inadvertently give away revealing information that attackers pick up on and use to make their phishing emails more convincing. Consider creating a policy limiting what can be shared online.

How does machine learning combat spear phishing?

Machine learning is a powerful tool for identifying and interpreting patterns and anomalies in data. Machine learning can boost business growth by streamlining inventory management, identifying more efficient logistics and performing sentiment analysis. However, it can also use its pattern-finding abilities to help detect and combat spear phishing attacks.

Machine learning is being used in three primary ways to fight spear phishing: social graph analysis, user communication profiling and email structural analysis. 

Social graph analysis

Companies have typical communication patterns. For example, accounting department members likely email each other frequently. However, it would be unusual for a CEO to email an accounting intern. 

Spear phishing attacks typically utilize an unusual communication path within a company. For example, a typical business email compromise (BEC) attack might have a spear phisher pretend to be the CEO and contact a lower-level staff member with nefarious instructions, in hopes of exploiting the employee’s instinctive reaction to obey authority. 

Machine learning can detect and help prevent spear phishing by creating a “social graph” of a company’s typical communication patterns and flagging strange communications. Building a social graph is straightforward. Machine learning algorithms detect the information in the headers of emails sent within a company, observing connections without actually reading the contents of the messages. A social graph is created by weighting employee connections based on communication frequency. 

Machine learning algorithms monitor and observe connections in email communications, compare them to the model, and flag anomalous messages. While there’s a chance these emails are legitimate, providing a warning decreases the probability that the recipient will be fooled by an attack.

Did You Know?Did you know

BEC attacks are a common type of business scam that’s continuing to grow. The FBI’s Internet Crime Complaint Center reported losses of over $2.7 billion from BEC scams in 2022 alone, making it one of the most financially damaging online crimes.

User communication profiling

Everyone expresses their unique style and voice when writing emails. Some email etiquette characteristics are generally applicable (e.g., few CEOs use emoji in business communications), while other idiosyncrasies are more specific (e.g., someone may have a favorite phrase they use frequently). These differences can help detect and protect against spear phishing emails.

Natural language processing (NLP) is a field that teaches computers to understand and model language. Using NLP techniques, you can analyze written text and extract identifying features. For example, the use of a dangling preposition (like the “for” in “What do you want that for?”) is more common in some areas (and the people who grew up in those areas) than in others. Also, people have different vocabularies; a simple statistical analysis of word and phrase choice and preferred sentence structure and complexity can help to differentiate various people’s writing. 

Machine learning anomaly detection algorithms can use linguistic analysis to detect specific types of spear phishing emails. If someone writes an email in their own voice but signs it as the CEO, the message won’t fit the profile generated from the CEO’s legitimate emails. 

However, this method may not be able to detect spear phishing emails that use a legitimate email as a template but change the destination of a few links. This technique is best used in combination with other spear phishing detection methods. 

TipBottom line

NLP is also used in interactive voice response technology to help identify keywords and terms in your business’s phone system call tree.

Email structural analysis

When you get an email, you view the sender, recipient, time, subject, message and attachments in your email client. While this is the bulk of the information in most emails, it’s not everything. The less-obvious information can help detect spear phishing attacks.

For example, emails contain the chain of IP addresses an email hopped through from the sender to the recipient. If the sender typically uses Gmail and rarely travels outside the United States, the originating IP address is likely a Google server in the U.S. While the IP address chain can be faked or modified, it typically involves adding hops to conceal the originating address. If a user’s emails typically take a hop or two to reach their destination and one suddenly takes five to 10 hops, it may deserve additional scrutiny.

Another way to detect spear phishing through email structural analysis is by observing which headers are included in the email. For example, Gmail has several headers, including X-GM-Message-State and X-Google-Smtp-Source. If you have an email claiming to be from a Gmail server but it lacks these headers — or an email that’s not from Gmail that does have them — it may be cause for suspicion.

By observing and recording standard structural details of a user’s emails, you can create a user-specific profile for each employee in an organization. Each new email can be compared with this profile using anomaly detection algorithms and flagged to notify the recipient if there’s reason for suspicion.

TipBottom line

Employee education is an effective way to protect your business from cybercrime. Experts recommend regular training sessions and simulations, along with a mechanism for staff to report suspicious activities.

Protecting against phishing attacks

Detecting and protecting against spear phishing attacks is a crucial component of an organization’s cyber defense strategy. According to Barracuda’s recent spear phishing trends report, spear phishing attacks are responsible for 66 percent of all data breaches, making spear phishing a significant attack vector. 

Many email protection tools provide basic defense against phishing attacks by checking for malicious links or attachments. However, spear phishing attacks don’t require these elements. Instead, they rely on persuading recipients to do something, like wire money to a specific bank account. 

The best internet security and antivirus software includes email scanning features and phishing safeguards to better protect your company. Combined with employee education, these tools can improve your cybersecurity posture and decrease the probability of a breach.

Mark Fairlie contributed to this article.

Andrew Goldberg, Community Member
I am Chief Scientist at Inky.com, Leading development at Inky, an enterprise communications security platform, working to protect corporate email from new breeds of sophisticated phishing attacks. Besides full-stack development, my background includes machine learning, big data, and natural language processing applied to text and communications data.
BDC Logo

Get Weekly 5-Minute Business Advice

B. newsletter is your digest of bite-sized news, thought & brand leadership, and entertainment. All in one email.

Back to top