What is Spear Phishing?

What is a Spear Phishing Attack?

No sharp objects are involved in a spear phishing attack; instead, an internet scammer will target an individual or an organization with a carefully crafted email. In this email, a scammer or cybercriminal poses as a trusted source, in order to trick the recipient. The end goal of this social engineering scam is to acquire confidential information that can be used for fraudulent purposes or blackmail.

These attacks may play out over social media direct, email, and direct messaging apps. They’re effective when the victim believes that the message comes from a trustworthy source.

What is the Difference Between Phishing & Spear Phishing?

When someone is fishing, they’re casting a baited hook into a body of water, hoping for a bite from any fish that might swim by. Spear fishing is significantly more targeted, a fisherman is looking for a specific fish and is planning to snare it with a spear, as opposed to a lowly hook.

When it comes to social engineering attacks, phishing is an email scam that may be sent out to thousands of people, hoping to trick them into clicking a link that infects a device with malware or giving up some sort of personal information like a password or an account number. There is an expectation with phishing attacks that only a very small percentage of those who received the message will fall for it, so scammers will cast a very wide net.

Microsoft Defender

Stay safer online with one easy-to-use app<sup>1

1</sup>Microsoft 365 Personal or Family subscription required; app available as separate download

Learn more

Spear phishing is significantly more targeted; an attacker will typically conduct research into their victims. Instead of being a generic message, a spear phishing message might spoof your boss’s email address and ask for certain login credentials. This kind of attack might target a single person or a handful of individuals who have been identified by a social engineer as being likely to fall for the scam. If the scam is a success, attackers can gain access to personal information or proprietary company information. They can use this information to commit fraud or can hold it hostage for ransom money. Either way, a spear phishing attack can cause enormous problems for an individual or an organization.

Examples of Spear Phishing

A spear phishing attack can work in several different ways. However, the attacker has always done their homework about the victim and will be attempting to get them to fall for the scam by personalizing it.

• Attachments.
  Attackers may send over a malware attachment disguised as an ordinary document. Instead of hoping you’ll enter your account information into a form, the malware might be logging all your computer’s activity, providing personal information to those who would use it to hurt you or your business.
• Ransomware.
  A spear phisher might pose as a family member, friend, or coworker and send you a message containing a link to a funny video or a picture. However, when you click the link, your device is taken over by ransomware, and you must pay in to have control restored to you. If you do not pay the ransom, these scammers have access to everything on your device, causing personal and professional problems.
• Authority Figure.
  In these types of scams, a criminal may pose as an authority figure, like a CEO or a manager, and ask for an urgent favor. They may claim to be stranded somewhere and need funds wired to them or send a message indicating that they’re locked out of an account and need login credentials. These messages are typically requesting quick action, hoping to catch a potential victim off guard and fool them in to handing over sensitive information.

How Can You Protect Yourself from Spear Phishing?

Traditional computer security programs may not be able to stop these kinds of attacks because they’re cleverly customized to suit each victim. It’s up to everyone to stop a spear phishing attack from being successful. A single mistake can have disastrous results for an organization, so employees need to be aware of the threat of a bogus email in their inbox. These are a few ways that people can defend against spear phishing attacks:

• Avoid clicking links or downloading attachments from unknown sources.
• Be wary of unsolicited or unexpected messages that convey an extreme sense of urgency. If someone you rarely have contact with, like the CEO of your company, is messaging you on a Sunday night and asking you for money, that message is probably not actually from your CEO.
• Verify suspicious messages with the sender through a phone call or a face-to-face conversation. If something sounds off, or too good to be true, it probably is.
• Limit the amount of personal information that you share on social media and other websites, which can be used to help criminals personalize spear phishing messages aimed at you.

These personalized attacks can be hugely detrimental, so be wary of any strange messages, links, and attachments that you may receive.