What is the difference between phishing and spear phishing attacks?

Updated at: Dec 03, 2020
By Gatefy

Business man representing phishing and spear phishing scams.

You have probably received, at least once, a suspicious email or text message that tried to deceive you into clicking on a link, filling out a form, or giving your credit card information to get access to an exclusive offer.

That email was the bait that fraudsters used to try to "fish" your data -- hence why those types of attacks are called "phishing", pronounced just like the word "fishing".

Both phishing and spear phishing are methods or scams used by fraudsters to profit from their victims, by either gaining access to their devices or their company's network, gathering sensitive data (especially bank and credit card information), or luring them to pay for a super deal that doesn't exist.

The most common way of spreading those attacks is through email, but fraudsters also use text messages, phone calls, and social media. 

The best way to prevent those attacks is to know how they work and be aware that you and your company are also potential victims.

So check out the basic differences between phishing and spear phishing attacks:

Difference between phishing and spear phishing attacks

1. Phishing

Typical phishing scams are usually massive campaigns, sent to thousands or millions of users at the same time. Even if only a small percentage of the users fall for the scam, it will still be profitable.

Since they normally include some lucrative offer or a request for urgent action (e.g., a form that the IRS is requesting you to fill out ASAP), phishing campaigns spread rapidly.

Fraudsters will try to mimic known, reputable enterprises or government agencies in order to reach more people.

According to an FBI report, phishing scams caused losses of more than USD 57 million in 2019. Phishing is at the top of the list as the cyber threat with the highest number of victims.

2. Spear phishing

Spear phishing, on the other hand, is highly targeted. Cybercriminals study and learn about their victims and use social engineering tactics to give the message more credibility.

Instead of trying to pose as trusted enterprises, they go to a more personal level, trying to impersonate someone the victim knows.

They usually pose as the CEO, a work colleague, or a business partner. Have you heard of CEO Fraud?

CEO Fraud is a BEC (Business Email Compromise) scam. In 2019, according to the FBI, BEC caused losses of USD 1.7 billion. It's the type of scam that most damages companies.

Characteristics of phishing email

There are so many massive phishing campaigns being sent every day that users are getting better at recognizing them.

The usual signs are: 

  • Suspicious links and attachments.
  • Offers that are too good to be true.
  • Requests for the user to give personal or sensitive information.
  • A fake sender's address.
  • Misspellings and grammar errors.

Characteristics of spear phishing email

Spear phishing, though, is trickier to recognize, since criminals study their victims and compose the message carefully.

The email usually includes:

  • A well-crafted sender's address or even a real, compromised account from someone the user knows.
  • Personal information about the user or the sender.
  • A hyperlink, an attachment or a request to send confidential data.
  • An urgent request for a bank wire or invoice payment. 

The signs may be harder to see than in massive campaigns, but they are also there.

If the request seems odd or if the person who sent the email doesn't usually write like that or doesn't usually send you emails at all, beware and confirm the message by other means, such as calling, for example.

Don't ever click on that link or attachment before confirming it's safe to do so.

Remember: any person or company may be a target for both types of phishing, so invest in training and security and stay alert.

How to protect your company: antiphishing solution

If you want to protect your company's data by investing in email security solutions that fight phishing, spear phishing, and other threats, such as ransomware and malware, contact us. We know how to help you.

If you prefer, you can request a demo by accessing this link.