When fishing, it's usually more rewarding to catch a large fish rather than a small one. Some cybercriminals feel the same way, too. Get to know what spear phishing is and why it is vitally important to identify it and educate others.
What is spear phishing?
Spear phishing is a form of phishing directed at specific companies or individuals. Cybercriminals disguise themselves as legitimate entities to extract sensitive data from their victims in the form of a phishing email or a malicious link. This social engineering technique is way more dangerous and can impact even tech-savvy digital natives due to its personalized nature. It has already cost millions of dollars for various businesses and organizations in the US.
Spear phishing vs phishing
While phishing is a random attempt at targeting as many contacts as possible, spear phishing is a focused attack on one particular target or to extract a specific piece of data. Spear phishing usually involves a single or a few targets, requires careful research on potential victims, and has a more specific agenda related to them. While ordinary phishing is quantitative, spear-phishing is more qualitative and focused.
This is why spear phishing is one of the most effective attacks. According to Symanetc’s Internet Security Threat Report 2019 spear phishing is the most popular type of targeted attacks. In 2019 it was used by 65 percent of hacker groups mostly for intelligence gathering.
Spear phishing examples
Here are a few scenarios of spear phishing:
- Cybercriminals might want to target a company's CEO to steal data or a person responsible for the organization's security to get some important logins. Attacks targeting such senior individuals are also known as whaling;
- Cybercriminals do careful research on the organization online to find out which people to target. LinkedIn is particularly useful in such cases;
- Cybercriminals personalize their messages rather than sending blasts of generic ones;
- They imitate the company's tone of voice and communication ethics and habits to seem more genuine. They can initiate a number of false requests beforehand to find out the company's communication patterns. For example, they might request money during the company's payday if they know when such requests are made;
- They look through emails the company uses and create similar looking ones via apps offering temporary email services.
How to avoid spear phishing
- Do not open attachments, links or give out any information to people or organizations that you don't know or find suspicious. Always do some research first;
- In case you get a suspicious message from someone you know or someone that looks reliable, always double-check with that person or organization via their official channels;
- Do not display your company's email addresses in public. Instead, use an online contact form to communicate with your customers;
- Learn about different spear phishing methods and educate your employees;
- Use the most up-to-date security software;
- Always check the sender’s email address to see if everything adds up. If you notice even the tiniest difference from a legitimate one (e.g. typos), it is an obvious red flag;
- Limit the amount of info you post on social media. Do not share any internal data that exposes your company's activities, communication habits, employees' data. Share just the most essential and neutral info;
- Grammar mistakes in an email are also a red flag;
- Use two-factor authentication and strong passwords.
To learn more about cybersecurity, subscribe to our monthly blog newsletter below!