Everything You Need to Know About Spear Phishing

Everything You Need to Know About Spear Phishing

Spear phishing is a targeted type of phishing in which the scammer already knows some information about the victim.

In a phishing scheme, a victim is tricked into divulging information that can be used in a scam. Spear phishing is a targeted type of phishing in which the scammer already knows some information about the victim. 95% of enterprise network attacks involve a successful spear phishing attempt, and it’s a problem for individuals too.

So what’s the solution? Unfortunately, phishing attacks aren’t likely to go away anytime soon, and will continue to become more sophisticated. As such, the best line of defense is to know what to look out for and have your wits about you.

In this post, we’ll explain spear phishing with some examples, and show what you can do to prevent a successful attack.

What Spear Phishing Is

Spear phishing scams come in many flavors including brandjacking, in which scammers pose as businesses to dupe customers, and whaling, which targets company executives. They all have one thing in common: Unlike a run-of-the-mill phishing attempt, a spear phishing attack is targeted, and the scammer is armed with some knowledge about the victim.

This knowledge could be learned by various means such as a previous phishing attempt, a data breach, or social media. The lattermost can provide a ton of information, such as where one travels, eats, shops, banks, and more. The fraudster uses whatever information they have to earn the victim’s trust and obtain more information.

Spear phishing attempts often take place through email, but this isn’t always the case. Voice phishing (vishing) and SMS phishing (smishing) can also form part of a targeted attack.

To get a better idea of the types of spear phishing attacks making the rounds, we’ll look at a few examples:

  • Ubiquiti Networks Inc: A 2015 case saw this company swindled out of over $40 million in a case of CEO fraud. Employees thought senior executives were directing them to transfer funds from a Hong Kong subsidiary, but emails were actually fraudulent and funds were sent to the scammers.
  • Electronic Frontier Foundation (EFF): Another 2015 case involved a fake EFF website. Although it’s unclear who the targets were, the perpetrators capitalized on the trust placed in the EFF and duped victims into downloading keyloggers and other types of malware.
  • PayPal: PayPal users are popular targets of phishing attacks, with some being hit with more targeted emails that actually address them by name.

These are just a few of the large-scale scams that have been uncovered, but many smaller-scale schemes are in place at any given time, such as the impressive but fake Apple email below.

Bear in mind that messages might not always impersonate a company, and many spear phishing attempts can appear to come from individuals. For example, scam artists can easily pose as a friend or family member, or someone from the same local area or religious group.

How You Can Avoid Spear Phishing Scams

There really is no way to prevent perpetrators from attempting phishing scams, but businesses and consumers can defend against them. Here are the steps you can take:

  • Educate yourself: Alarmingly, 41% of people can’t identify a phishing email and 30 percent of all phishing emails in the US are actually opened. As an individual, you can educate yourself about what to look out for, and if you run a business, it’s a good idea to train employees in security awareness.
  • Use common sense: Look out for indicators that an email is fake, such as a misspelled company name or link text that doesn't match the link URL. Avoid clicking links and attachments in emails, and if you do land on a website, check for HTTPS in your browser’s address bar. Things like lack of an about page, outdated copyrights, or no contact information can be giveaways.
  • Don’t send personal information: This should fall under common sense, but it’s worth the extra emphasis. Businesses will rarely ask you to provide personal information over email, phone, or text message. Verify such requests using contact information from the actual company website.
  • Employ the use of tools: For businesses, tools like PhishDefender and Cofense can help prevent against successful phishing attempts. For individuals, spam filters can weed out many phishing emails. Additionally, password managers can detect phishing sites, as they’ll only autofill forms on known sites.
Spear phishing attacks are becoming more sophisticated, and it would be impossible to defend against every one. However, with a little education and a lot of common sense, you can help prevent

Featured

  • Evolving Cybersecurity Strategies: Uniting Human Risk Management and Security Awareness Training

    Organizations are increasingly turning their attention to human-focused security approaches, as two out of three (68%) cybersecurity incidents involve people. Threat actors are shifting from targeting networks and systems to hacking humans via social engineering methods, living off human errors as their most prevalent attack vector. Whether manipulated or not, human cyber behavior is leveraged to gain backdoor access into systems. This mainly results from a lack of employee training and awareness about evolving attack techniques employed by malign actors. Read Now

  • Report: 1 in 3 Easily Exploitable Vulnerabilities Found on Cloud Assets

    CyCognito recently released new research highlighting critical security vulnerabilities across cloud-hosted assets, revealing that one in three easily exploitable vulnerabilities or misconfigurations are found on cloud assets. As organizations increasingly shift to multi-cloud strategies, the findings underscore significant security gaps that could provide attackers with potential footholds into networks. Read Now

  • Built for Today, Ready for Tomorrow

    Selecting the right VMS is critical for any organization that depends on video surveillance to ensure safety, security and operational efficiency. While many organizations focus on immediate needs such as budget and deployment size, let us review some of the long-term considerations that can significantly impact a VMS's utility and flexibility. Read Now

  • Paving the Way to Smart Buildings

    In today's rapidly evolving security landscape, the convergence of on-prem, edge and cloud technologies are critical. The physical security landscape is undergoing a profound transformation, driven by the rapid digitalization of buildings and the evolving needs of modern organizations. As the buildings sector pivots towards smart, AI and data-driven operations, the integration of both edge and cloud technology has become crucial. Read Now

  • The Cybersecurity Time Bomb

    If you work in physical security, you have probably seen it: a camera, access control system, or intrusion detection device installed years ago, humming along without a single update. It is a common scenario that security professionals have come to accept as "normal." But here is the reality: this mindset is actively putting organizations at risk. Read Now

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.