Everything You Need to Know About Spear Phishing

Spear phishing is a targeted type of phishing in which the scammer already knows some information about the victim.

• Jul 24, 2018

In a phishing scheme, a victim is tricked into divulging information that can be used in a scam. Spear phishing is a targeted type of phishing in which the scammer already knows some information about the victim. 95% of enterprise network attacks involve a successful spear phishing attempt, and it’s a problem for individuals too.

So what’s the solution? Unfortunately, phishing attacks aren’t likely to go away anytime soon, and will continue to become more sophisticated. As such, the best line of defense is to know what to look out for and have your wits about you.

In this post, we’ll explain spear phishing with some examples, and show what you can do to prevent a successful attack.

What Spear Phishing Is

Spear phishing scams come in many flavors including brandjacking, in which scammers pose as businesses to dupe customers, and whaling, which targets company executives. They all have one thing in common: Unlike a run-of-the-mill phishing attempt, a spear phishing attack is targeted, and the scammer is armed with some knowledge about the victim.

This knowledge could be learned by various means such as a previous phishing attempt, a data breach, or social media. The lattermost can provide a ton of information, such as where one travels, eats, shops, banks, and more. The fraudster uses whatever information they have to earn the victim’s trust and obtain more information.

Spear phishing attempts often take place through email, but this isn’t always the case. Voice phishing (vishing) and SMS phishing (smishing) can also form part of a targeted attack.

To get a better idea of the types of spear phishing attacks making the rounds, we’ll look at a few examples:

• Ubiquiti Networks Inc: A 2015 case saw this company swindled out of over $40 million in a case of CEO fraud. Employees thought senior executives were directing them to transfer funds from a Hong Kong subsidiary, but emails were actually fraudulent and funds were sent to the scammers.
• Electronic Frontier Foundation (EFF): Another 2015 case involved a fake EFF website. Although it’s unclear who the targets were, the perpetrators capitalized on the trust placed in the EFF and duped victims into downloading keyloggers and other types of malware.
• PayPal: PayPal users are popular targets of phishing attacks, with some being hit with more targeted emails that actually address them by name.

These are just a few of the large-scale scams that have been uncovered, but many smaller-scale schemes are in place at any given time, such as the impressive but fake Apple email below.

Bear in mind that messages might not always impersonate a company, and many spear phishing attempts can appear to come from individuals. For example, scam artists can easily pose as a friend or family member, or someone from the same local area or religious group.

How You Can Avoid Spear Phishing Scams

There really is no way to prevent perpetrators from attempting phishing scams, but businesses and consumers can defend against them. Here are the steps you can take:

• Educate yourself: Alarmingly, 41% of people can’t identify a phishing email and 30 percent of all phishing emails in the US are actually opened. As an individual, you can educate yourself about what to look out for, and if you run a business, it’s a good idea to train employees in security awareness.
• Use common sense: Look out for indicators that an email is fake, such as a misspelled company name or link text that doesn't match the link URL. Avoid clicking links and attachments in emails, and if you do land on a website, check for HTTPS in your browser’s address bar. Things like lack of an about page, outdated copyrights, or no contact information can be giveaways.
• Don’t send personal information: This should fall under common sense, but it’s worth the extra emphasis. Businesses will rarely ask you to provide personal information over email, phone, or text message. Verify such requests using contact information from the actual company website.
• Employ the use of tools: For businesses, tools like PhishDefender and Cofense can help prevent against successful phishing attempts. For individuals, spam filters can weed out many phishing emails. Additionally, password managers can detect phishing sites, as they’ll only autofill forms on known sites.