What is Spear Phishing?
Spear phishing is an electronic communications attack against specific individuals, groups, or businesses. Tactics used in spear phishing include, but are not limited to, phony e-mails, text messages, and phone calls. Oftentimes, people in higher-ranking positions will be targeted, presumably due to their influence over other members of their organization, and/or the potentially valuable information they have access to.
What is the difference between phishing and spear phishing?
Phishing is the general use of deceptive tactics in order to gain sensitive information from a person, often their password for a particular account. Phishing is usually done at a large scale, and the attackers do not have a specific target in mind. Personal phishing attempts directed at particular companies or individuals is called spear phishing. Unlike typical phishing, spear phishing attackers increase their probability of success by collecting and using personal details about their target against them. The first research study on a kind of spear phishing attack that takes place on social media called social phishing found that it was over 70 percent successful.
Often within organizations, spear phishing targets high-level executives or employees that have access to financial data or other sensitive information. In 2016, Threat Group-4127 (Fancy Bear) hacked high-level officials in Hillary Clinton’s 2016 presidential campaign using spear phishing tactics to threaten victims.
How can I protect myself against spear phishing attacks?
- Be wary of random e-mails originating from high-ranking staff in your organization; C-level staff
- Be cautious when an e-mail includes a request for you to provide specific, personal information or asks you to click a link
- Since phony e-mails will often originate from a different address than they appear to come from, replying directly will likely respond to the attacker. Instead, use a separate channel of communication (a phone call or text message, or face-to-face communication) to check with the purported sender of the e-mail whether they actually sent it
Common features of a spear phishing email:
Request for personal info
Be careful who you share sensitive information with. Does the recipient really need to know what they are requesting?
Misspellings and odd grammar
If the email has a lot of spelling errors or grammar issues, be cautious.
A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed.