What is spear phishing?

Updated at: Oct 01, 2019
By Gatefy

What is spear phishing?

Spear phishing is a highly targeted email attack. It’s a type of scam that targets a specific company, agency or individual. The attacker impersonates a trusted person or brand, and creates a fake story to steal confidential information, gain access to the victims’ devices or his company’s network, or even lure them to send money or pay for bills that don’t exist.

Spear phishing and phishing

We like to say that spear phishing is the evolution of phishing. Basically, the difference between them is the number of people involved in the fraud.

Phishing scams are usually massive campaigns. The criminal creates a fake email and sends it to thousands or millions of users at the same time. Now you can see why phishing is so popular with cybercriminals.

Spear phishing is the opposite. It's a well-crafted scam aimed at a specific target. That's why spear phishing scams use social engineering a lot. The fraudsters investigate as much as possible about their victims. They make an X-ray of the targets, studying their interests, preferences and routine. Why? To have more chances of success, of course.

How spear phishing works

Lying, manipulating, persuading, forging, and using malicious attachments and URLs are some of the tools used by fraudsters in spear phishing scams. To succeed, they need to rely on human failure, also called the “human factor”.

Let's use the example of RSA, a security company, to illustrate it. The hacker impersonated an employee from the company and sent an email with a document attached to a group of employees. The subject of the email was "Recruitment Plan". The problem: the attachment contained a malicious file. Now you may ask: What about the loss? It’s estimated at USD 66 million. This case happened in 2011.

This is just one example. There are countless other cases and unlike what people imagine, spear phishing doesn't hit just enterprises. Small and medium-sized businesses have been increasingly targeted by this kind of attack.

The most common types of spear phishing are known as Business Email Compromise (BEC), CEO Fraud and Whaling. The names are used interchangeably and refer to threats aimed at companies’ employees and C-level executives.

How to prevent spear phishing

Look for an email protection software, with sandbox, anti-spam, anti-virus, and advanced scanning engines. It helps your organization to filter and block spam, malware and other threats. Moreover, you should invest in security awareness. Train your team to recognize the main characteristics of spear phishing and phishing attacks.