What is Spear Phishing?
June 30, 2020 By Patrick Brown
In the last year, nearly 76% of businesses reported a phishing attack. Over 1.5 million new phishing sites are created every month. And phishing accounts for 90% of all data breaches. Phishing continues to be a growing concern for businesses and individuals that do any business online.
Phishing, a social engineering attack typically delivered via email, impersonating a trusted brand or person, uses a wide net to catch victims. Spear phishing, on the other hand, is more targeted.
In this article, we’ll answer the question: “what is spear phishing?” and offer actions you can take to protect yourself and your business from falling victim to a spear phishing attack.
This article is part of our Definitive Guide to Phishing series:
WHAT IS SPEAR PHISHING?
Spear phishing, a type of phishing, targets individuals by impersonating trusted brands or acquaintances. The goal of a spear phishing attack is similar to phishing—steal information or data—but differs in the approach. Each spear phishing attack is targeted to specific individuals.
Unlike whaling (which targets high-level employees, like a CEO or CFO), spear phishing can happen to anyone in your organization.
And it’s a growing threat—30% of targeted phishing messages (or spear phishing) are opened. Fifteen percent of those who are successfully phished (from a broad phishing attempt or a more targeted spear phishing attack) will be targeted at least one more time within the same year.
These emails can be difficult to detect automatically, since they may be custom for each target, and more convincing, since they may use personal details and be structured like a normal email.
Similar to regular phishing, the goal of these emails is to steal sensitive data or get the user to accidentally install malicious software on their device, like ransomware. For more about ransomware, check out our Definitive Guide to Ransomware.
SPEAR PHISHING EXAMPLES
Spear phishing emails can often be structured to appear important and time sensitive. In one 2013 example, the FBI warned individuals and businesses about a spear phishing attack that appeared to come from the National Center for Missing and Exploited Children. The subject line, “Search for Missing Children” was compelling and many fell victim, believing the email was legitimate.
In 2015, Ubiquiti Networks, Inc., a network technology company, lost millions of dollars because of a spear phishing attack. The spear phishing email targeted the finance department, impersonating another employee. Funds were transferred to overseas accounts as multiple employees believed they were completing requests from executives. The look-alike domains and email addresses appeared legitimate and the company lost $46.7 million.
HOW TO PREVENT SPEAR PHISHING
What can you do to prevent spear phishing at your organization? Creating an in-depth cyber defense plan should be your long-term goal, but here are three ways to get started:
1. Educate employees. Educate your employees on the social engineering techniques that spear phishing attacks typically use. Spear phishing attacks are well crafted and often slip through email gateways because they are so personalized. Ensure your employees are trained to look for suspicious messages, correct email addresses, and verification of the email sender.
2. Implement data protection policies. Ensure that employees do not release sensitive information via email responses by implementing data protection policies. Educate your employees on proper channels for sensitive information and require training annually.
3. Employ a cyber defense strategy. Implement protections within your organization that can help prevent your employees from falling victim to a spear phishing attack. Require MFA (multi-factor authentication), perform timely software updates, and back up data frequently and consistently.
To learn more about phishing and how you can defend your organization from the other types of cyber attacks, read The Definitive Guide to Phishing.