What's the difference between phishing and spear phishing attacks?

Updated at: Sep 10, 2019
By Gatefy

Difference between phishing and spear phishing

You have probably received, at least once, a suspicious email or text message that tried to deceive you into clicking on a link, filling out a form or giving your credit card information to get access to an exclusive offer. That email was the bait that fraudsters used to try to "fish" your data -- hence why those types of attacks are called "phishing", pronounced just like the word "fishing".

Both phishing and spear phishing are methods used by fraudsters to profit from their victims, by either gaining access to their devices or their company's network, gathering sensitive data (especially bank and credit card information) or luring them to pay for a super deal that doesn't exist. The most common way of spreading those attacks is through email, but fraudsters also use text messages, phone calls and social media. 

The best way to prevent those attacks is to know how they work and be aware that you and your company are also potential victims. So check out the basic differences between phishing and spear phishing attacks:

Massive phishing campaigns vs targeted attacks

Typical phishing scams are usually massive campaigns, sent to thousands or millions of users at the same time. Even if only a small percentage of the users fall for the scam, it will still be profitable. Since they normally include some lucrative offer or a request for urgent action (e.g., a form that the IRS is requesting you to fill out ASAP), phishing campaigns spread rapidly. Fraudsters will try to mimic known, reputable enterprises or government agencies in order to reach more people.

Spear phishing, on the other hand, is highly targeted. Cybercriminals study and learn about their victims and use social engineering to give the message more credibility. Instead of trying to pose as trusted enterprises, they go to a more personal level, trying to impersonate someone the victim knows. They usually pose as the CEO, a work colleague or a business partner.

Characteristics of phishing email vs spear phishing email

There are so many massive phishing campaigns being sent everyday that users are getting better at recognizing them. The usual signs are: 

- Suspicious links and attachments;

- Offers that are too good to be true; 

- Requests for the user to give personal or sensitive information;

- A fake sender's address;

- Misspellings and grammar errors.

Spear phishing, though, is trickier to recognize, since criminals study their victims and compose the message carefully. The email usually includes:

- A well-crafted sender's address or even a real, compromised account from someone the user knows;

- Personal information about the user or the sender;

- A hyperlink, an attachment or a request to send confidential data;

- An urgent request for a bank wire or invoice payment. 

The signs may be harder to see than in massive campaigns, but they are also there. If the request seems odd or if the person who sent the email doesn't usually write like that or doesn't usually send you emails at all, beware and confirm the message by other means, such as calling or writing a new email to the person instead of simply hitting "Reply". And don't ever, EVER click on that link or attachment before confirming it's safe to do so.

Remember: any person or company may be a target for both types of phishing, so invest in training and security and stay alert.