Estimated reading time: 10 minutes
If you have read our posts related to social engineering plots (phishing, smishing, whaling and vishing), you already know that many kinds of scams are derived from phishing. But it’s important to learn about the most prevalent one, spear phishing. Unfortunaltely, this kind of fraud is also the most dangerous for businesses.
What is spear phishing?
Spear phishing is a specific kind of phishing where the victim is targeted and deceived by using accurate personal information gathered beforehand. For example, the hacker can use your public data obtained from your social media accounts to convince you their message is authentic.
Let’s say you’ve just bought a house and posted the news on Facebook. Thanks to one of your comments on LinkedIn, the hacker discovers your banker’s name and agency. From there, he just needs to create a seemingly trustworthy email address using those informations and here it is ! He can then request you to transfer some money to a specific account pretending you must do it in regard of your mortgage. If you are not careful enough, this is how you’ll get scammed.
Sometimes, the authors of this kind of scam can be sponsored by a government. They can also be hacktivists, or cybercriminals looking for sensitive information to sell to governments or competitors.
What’s the difference between phishing and spear phishing?
As its name suggests, spear phishing is a specific type of phishing. “Phishing” refers to various cyberattacks designed to steal sensitive information—such as credit card numbers, passwords, or social security numbers—through deception, identity theft, or impersonation.
What Does a Phishing Attack Look Like?
Phishing attacks are typically broad and untargeted. They aim to reach as many potential victims as possible and often involve sending a spoof email that pretends to come from a legitimate organization.
You’ve probably encountered this type of scam before. For instance, many of us have received emails from someone claiming to need help moving a large sum of money—often millions of dollars—stuck in a Nigerian bank. In exchange for our “help,” they promise a share of the fortune. However, they usually ask for personal or banking information as part of the process.
These scams are often referred to as Nigerian Letters or “419 Frauds,” named after Section 419 of the Nigerian Criminal Code, which prohibits this crime.
The perpetrators of phishing attacks typically don’t put much effort into making their messages seem credible. These emails often contain glaring spelling mistakes, language errors, or cultural inconsistencies, making the scam obvious. However, they rely on volume: even if most recipients ignore the email, they count on a few being naive enough to click the link or share their personal information.
What’s the difference with a spear phishing attack?
The main difference between phishing and spear-phishing is that the latter targets specific individuals rather than a large group. Hackers often focus on executives or employees with access to sensitive hardware, software, or organizational privileges. They may also target individuals who have shared exploitable information, such as details about a recent house purchase.
Before contacting the victim, hackers research their target thoroughly. They gather information about the organization, the person’s role, nicknames, the CEO’s name, or even the bank their organization uses. This knowledge helps them craft highly convincing messages that appear genuine.
Hackers design these messages to mimic authentic emails from the target’s organization or related entities. They use details like similar email addresses, official names, logos, and standard email formatting to enhance credibility. The goal is to build trust and make the recipient believe the email is legitimate.
The message often includes a link directing the recipient to a fake website designed to steal sensitive information, such as passwords, social security numbers, or banking details. Hackers sometimes drive traffic to these sites beforehand to make them appear legitimate and bypass antivirus software.
In other cases, they impersonate a friend in distress, asking for money or requesting access to private photos or social media posts. These personalized tactics make spear-phishing particularly deceptive and dangerous.
A third form of spear phishing uses an attachment simulating an invoice, or a document of some kind (pdf, Word or Excel file) secretly containing a malicious software, a macro or a piece of code (e.g. a keylogger). It could also be a ransomware, a software that can block the organisation’s computer system, forcing it to pay a ransom to unlock it.
The hackers will frequently explain that their request for sensitive information is urgent. They will tell the victims they need to change a password which is about to expire, or to take notice of changes in a delivery described in an attached document, for example.
When they succeed in their goal, the scammers will impersonate their victims thanks to the personal data to carry out specific operations (money transfer, theft of personal data, theft of intellectual property, unwanted publication of heinous messages on their behalf, etc.).
Who Can Be Targeted?
In a spear-phishing attack, any employee within an organization can be a target. However, certain scams specifically focus on high-level executives, often referred to as “whaling attacks.” These attacks typically involve impersonating the CEO or another senior leader within the organization to issue commands that appear authoritative and unquestionable.
Executives face a higher likelihood of being targeted in cyberattacks and, surprisingly, are also more prone to falling for these scams compared to other staff members.
On the other side, it is more rewarding for a hacker to pick them, because of their higher access and authority.
These cyberattacks frequently target employees or executives involved in payment-related processes, such as payroll or invoicing.
Finally, note that even individuals can fall victim to this form of scam: a hacker may pose as one of your friends and invite you to click on a nice website or video… hiding a ransomware that could lock your smartphone.
How to detect this kind of fraud?
Most spear phishing emails are expertly crafted, making it difficult to recognize the malicious intent. Even advanced tools designed to proactively detect these scam emails within organizations can sometimes fail to identify them.
This high level of sophistication is why spear phishing has become so widespread—now accounting for an estimated 91% of all cyberattacks—and why it causes such significant damage.
Some advice to help you spot a spear-phishing email
- Always double check every piece of information, especially the sender’s details. You may only see the sender’s name but pay attention to the email address as well. It is very unlikely that your banker will send you an email from a “nameofthebanker.nameofthebank@gmail.com” kind of address. Check cautiously the email address provided, even if it seems to come from a trusted organisation. Look for a digit 0 typed in place of an “o”, or for a Russian “ш” spoofing a “w”.
- Does any detail seem different from usual? Watch out for differences in format. Is the signature different, even slightly? The email is full of spelling mistakes, which is never the case with that specific person ? The way it’s addressing to you is not familiar? All those details are red flags inviting you to be suspicious. Some specific characteristics may not be known by hackers and that’s where you can spot spear phishing.
- Just like you double check the email address, check any link sent to you. The actual URL is not the same than the link you are asked to click on? It might be something to worry about.
- Also, pay attention to the wording and the jargon. An unusual mention or expression never heard within your organisation should make you suspicious. Check as well the polite phrases and greetings at the end of the message. Is it usually “Thanks”, or “Best regards”, or something else?
- Finally, if a click on an attached file triggers the opening of a window indicating that it contains a macro, beware!
- When in doubt, never hesitate to confirm the content of an email over the phone. A quick call might save you a lot of trouble! Better safe than sorry.
How to prevent spear phishing?
Hackers can use several tricks to obtain information about their victims. For example, they can use out-of-the-office messages to find out what an organisation’s staff members emails look like. Others will use social media and other publicly available sources to gather information.
Some advice to help you prevent these attacks
Beside being careful, you have other options to prevent spear phishing. Hackers can be subtle, but falling victim to a scam is not inevitable. You can protect yourself and your personal data by taking the following steps:
- Keep in mind that hackers can maliciously exploit any information you post on social media, such as your name or picture. When possible, make your accounts private and avoid publishing too much information about your responsibilities, suppliers, clients, processes or operational aspects of your business in your LinkedIn profiles.
- Avoid publishing too much information about your staff in your website as well. Don’t provide their email, use a form instead to invite visitors requesting for informations.
- Pay attention to the job advertisements published by your organisation to fill positions in the IT department. Make sure they are never too specific when mentioning details about the software and cybersecurity systems used by your organisation.
- Look out for these information on Internet too, and suppress them when possible.
- Always use a hosted email security system and an antispam protection to stop any harmful email.
- In any case, never send sensitive information like credentials and passwords to anyone. Scan all attachments with your antivirus software before opening them.
- Keep all your software constantly updated to avoid any abuse of a security breach.
- Knowledge and awareness are keys. Keep yourself informed about the latest phishing trends.
- Organisations need to train their staff and organise spear phishing attacks simulations. This way they can develop awareness of this threat and identify which employees are more vulnerable to these kinds of scam.
- Train your staff to report any suspect email to the IT department, and to avoid clicking on any URL in emails. They should instead connect directly to the genuine website.
- Beware of unusual and unexpected emails, especially if they claim to be urgent.
- If your IT department is skilled, ask them to mark all external emails to clearly distinguish them from internal ones.
- Establish strict rules concerning the use of passwords. Forbid your staff to reuse a password, or to use passwords that are too easy to crack.
- Establish payment processes involving many executive approvals.
- Avoid any “BYOD” policy and the use of external softwares, platforms or applications not expressly allowed by your IT department.
- Prevention matters as well, especially for more fragile possible targets like elder or younger users. If someone around you can be an easy target, warn them about spear phishing. If you can, try to keep an eye on their email boxes.
- Inform your staff, your friends and family members about the risks incurred when sharing personal data on social media.
- Several tools have been specifically designed to prevent phishing. Here is a selection you can use in order to control any URL before clicking on it : Where Goes, Redirect Detective and Redirect Check.
- And last, but not least : use a secure email provider like Mailfence to guarantee email security and privacy.
Preventing spear phishing is key to keep your personal data safe. Failing to take basic precautions puts your email at risk of being hacked. Read our advices to know what to do in this case, and contact us if you have any question about security and privacy.
Check out this article on how to avoid social engineering schemes.
Mailfence is a suite of integrated collaboration tools with a lot of features to protect your personal data. If you already have an account, you know all about it. If not, what are you waiting for ? Open a free account now.
Stay up to date with our latest articles by following us on Twitter and Reddit. For more information on Mailfence’s secure email suite, please do not hesitate to contact us at support@mailfence.com.
