What is Spear Phishing?

We’ve already covered phishing, a fraudulent email sent out to everyone and their uncle in the attempt to lure the receiver into giving up confidential information, such as passwords, or open a malicious document. Regular phishing is a “spray and pray” method for cyber criminals to get access to your system. But what then is Spear Phishing?

Spear phishing diver in blue sea

Spear Phishing works very similar to phishing. The main difference is that the fraudulent email is in some way focused on the recipient. That means that the cyber criminals have singled out who they want to manipulate and designed their email accordingly. Unlike a traditional phishing scam the email message indicates that the sender knows who they’re reaching out to.

Examples of Spear Phishing scams

  1. Restaurant staff gets an email from a sender who wishes to place an order. Attached is a Word document with instructions. Enabling editing on that document opens the floodgates for malware. This happened at popular restaurant chain Chipotle. Millions of customer credit card numbers were stolen.
  2. A small group of employees gets an email with an Excel document attached called “2011 Recruitment Plan”. A Flash object was embedded in the file. The email was automatically filtered into the junk mail folder. A second email was then sent as a “reminder” and asked recipients to check their junk mail folder. It only took one employee to fall victim to this scam. This happened at the RSA security unit of data-storage at the EMC Corp.
  3. A very common spear phishing scam is when the name and similar email address of a high ranking executive is used to scam employees lower down in the chain. This is also referred to as Whaling, a type of CEO fraud. In 2015 Ubiquiti Networks Inc handed over more than $40 million after a successful CEO fraud.
  4. It‘s not just big businesses that are targeted. General consumers are also victims of spear phishing and PayPal and Amazon users are a favorite. There seems to be no end to fraudulent emails sent out in the name of these two companies. Usually these are general phishing emails but every once in a while scammers up the ante and send out very specific emails to specific targets. Always view such emails with a healthy level of distrust, even if you just placed an order and are expecting their email.

They are watching you

Social media is a good place for spear phishing cyber criminals to gain access to their intended victim’s interests and hobbies. They can also find information about their family, where they live and what kind of car they drive. All of this information can be used to craft a specific message that the recipient will be more likely to fall for.

Spear phishing gathering private information through social media

Cyber criminals increasingly exploit personal information, discovered through social engineering, to carry out their schemes.

Who’s a potential spear phishing target?

A spear phishing email will appear to have come from a trustworthy source but will send the recipient to a bogus website with malware or include an infected document. The attacks are individually designed and often target high-ranking employees. Because of the sophisticated way these spear phishing emails are designed, even top executives have fallen for them with drastic consequences.

Spear phishing using private hobbies such as gardening

Spear phishing emails often feature the recipient’s hobbies to lure them in.

Everyone is a potential target for spear phishers. Therefore, everyone within an organisation needs continuous cyber security awareness training. It‘s also a good rule of thumb to be constantly vigilant about what information you share about yourself on-line. Spear phishers are not only looking for ways to breach companies but also use this information for identity theft.

What does Spear Phishing do?

Because of spear phishing’s clever customization these scams often go undetected. Data breaches often go unnoticed for several months. By the time they’re discovered it is unlikely that an employee will remember getting a customized spear phishing email.

It only takes one employee to trust a customized email and open a malicious document or website to have severe consequences. This opens a door for the cyber criminals to steal important and sensitive data, both from the company, its employees and its customers. If the spear phishing attack contains malware the organisation’s data can be held ransom or its computers hijacked to create botnets used for other cyber attacks.

Cyber Security Awareness video

How to avoid Spear Phishing?

First and foremost: Be aware! Train your employees and then train them some more!

  • If you did not sign up for an email, even if it is about your hobby or interests, you probably shouldn’t be getting one.
  • Always keep in mind that you can be the recipient of a bogus email, even if it appears to come from a trusted source.
  • Don’t click links in emails. Instead type in the website yourself.
  • Verify URLs. Hover over links to see if they have a typo. A typo in a URL is a very big warning sign.
  • Never give out personal data. That means passwords and account numbers as well as revealing too much on social media.
  • Only use your work email for work related matters. If you are only used to receiving work related emails you will be suspicious if you suddenly start receiving emails from sources that should not have your work email address such as your bank, on-line shops and other non-work related organisations.