Spear Phishing: What is it and How Can You Avoid it?

  • By Rita
  • Published: Apr 29, 2022
  • Last Updated: Nov 23, 2023

Spear phishing is unlike other forms of phishing. These cybercriminals collect personal information to create elaborate scams. This tactic makes it more likely for their targeted individuals to fall victim to it. Discover what spear phishing is and what helps protect you from spear phishing. 

What Is Spear Phishing? 

Spear Phishing

Spear phishing uses electronic communications - specifically email - to scam a targeted individual, business, or organization. This scam is typically done by cybercriminals or hackers. Their primary goal is to steal data for malicious purposes or install malware on the targeted user's computer. 

The cyber attacker achieves their goal by assembling a seemingly authentic email and sending it to the targeted individual. They conduct pre-attack research on their victims regarding their company or personal life. This way, when their target sees the email is from someone they know, they automatically trust its contents.

Attackers gather information from multiple places to create a complete profile on their target. They research social media profiles, company websites, and public databases to make their messages appear legitimate and trustworthy.

Spear phishers pose as colleagues, business partners, doctors, or government authorities to lower the recipient’s guard further.

For example, an employee may receive an email from “Kim in Human Resources.” The email could instruct them to follow a link or download the attached file. However, upon following these instructions, they fall victim to these attacks. 

Spear phishing has a higher success rate than other forms of phishing. This is because spear-phishing attacks are tailored to the individual and stay away from the most obvious red flags, rather than targeting a wide range of individuals. The time invested in researching each individual ensures a higher chance of success.

Whale Phishing

As its name implies, whale phishing is about bagging the "big game" within an organization. Attackers create complex spear phishing scams targeting a company's executive-level or higher-level personnel. The goal is to uncover secrets or access unauthorized funds that lower-level employees can't reach.

At its most ambitious level, whale phishing is also known as CEO Fraud or Business Email Compromise (BEC). Between 2013 and 2015, small and medium-sized businesses faced over $1 billion in damages due to CEO fraud, according to the Federal Bureau of Investigation.

How Criminals Research for Spear Phishing?

Criminals use a variety of methods to gather information for their attacks. The most basic spear phishing scams get by with just a few facts, while the more complicated attacks go as far as creating a fake company to fool their victim. Some of the most common research techniques include:

Analyzing Publicly Available Information

Open-Source Intelligence (OSINT) refers to any information available to the public. Sources like social media profiles, networking sites, and public databases can provide a lot of personal data and insight into a target's personality. Even things like an old high school newspaper can be valuable to a spear phisher. Criminals use OSINT to learn about an individual's responsibilities, past relationships, and other affiliations to personalize the attack.

Buying Breached Data

Data breaches expose the personal information of millions of individuals in one fell swoop. It's common to find someone's private email address and several passwords. Some companies lose data outlining customers' shopping preferences, purchase history, and other tracking metrics.

Cybercriminals purchase this leaked data to customize their emails. Additionally, if the spear phisher knows their target has been the victim of a recent breach, they may work the event into the attack by titling it something like "password reset."

Insider Information

Cybercriminals sometimes approach "insiders" within their target's social or professional circles. The attacker may bribe a coworker or trick a friend into revealing personal details. This allows the spear phisher to more accurately impersonate someone close to their target and create a more plausible pretext.

What are the Biggest Spear Phishing Attacks?

Phishing attacks aren't anything new, and they're not rare. However, not many criminals try to take on industry giants. While it's hard to pinpoint the most damaging spear phishing attack, some of the ones that made the largest waves include the following:

Evaldas Rimsauskas

In 2019, Evaldas Rimsauskas was sentenced to 5 years in prison for attacking two of the biggest household names in the world. Rimsauskas and his partners impersonated Quanta Computer, an electronics manufacturer that frequently works with Google and Facebook.

He posed as the only member of Quanta Computer's board of directors while sending fake invoices, contracts, and other phishing emails to Facebook and Google employees. Rimsauskas researched and targeted only high-level employees that frequently performed multimillion-dollar deals.

The long-term attack managed to trick employees into wiring more than $120 million to foreign bank accounts.

The RSA Data Breach

In 2011, RSA experienced a data breach that cost the company $66.3 million. The attack targeted RSA's SecurID seeds which was a two-factor authentication system used on a global scale. Stealing the seeds would give hackers access to millions of devices and accounts. In response, RSA completely shut down its systems.

The attack started with phishing emails targeting two lower-level employees. The emails installed malware that broke into RSA's servers and dug up several administrators' login information. This gave the hackers unlimited access to nearly anything they wanted.

Operation Aurora

Operation Aurora refers to a collection of Chinese-driven cyberattacks on American companies in late 2009. Some of the biggest companies in the US were targeted, including Adobe, Symantec, Google, Morgan Stanley, and over twenty others.

Among the victims, Google was the only company to blame Chinese groups in a blog post publicly. Google also stated that it might close its Chinese offices if it couldn't continue with a completely uncensored version of its search engine in China.

One of the attack tactics was a "water hole" attack. This tactic researched company employees and learned what websites they used most frequently. Hackers then infect these sites with malware and invite specific employees to visit with dedicated phishing attacks.

Operation Aurora is a significant event in the world of cybersecurity by proving its importance in the fields of political and industrial warfare.

How To Spot the Signs of an Attack?

How to spot phishing

Spear phishing can be a problematic scam to identify at first glance. Thus, you must read your emails thoroughly. Now that you've learned what the spear-phishing definition is, here are some useful tips to help you recognize it before responding to emails. 

Double Check the Sender’s Email Address

When launching spear-phishing attacks, the sender’s email address will always differ from the legitimate email address. The difference is always slight so that the receiver doesn’t notice.

For example, the fake email address may be service@american.bank.com. In contrast, the actual email address is service@americanbank.com. Search the email address in your browser or email history to ensure it’s legitimate.

Check the Contents of the Email

Some cybercriminals tend to make grammar and spelling mistakes in their emails. Of course, anyone can make mistakes. Still, it's essential to observe how the person they’re impersonating usually talks. This includes tone, structure, and signature.

Ask yourself if the tone and grammar are appropriate for the person, organization, or company it’s supposedly from. Check if the email content seems odd, inappropriate, or unusual. If it does, double-check with related contacts. However, do not check by responding to the email.

Is the Sender Asking You for Personal Financial Information?

Beware of emails asking for personal details. Some spear phishing attacks involve gaining access to your banking details. If the sender requests personal financial information, do not comply.

Be sure to double-check with someone else in the organization. Alternatively, you could contact the sender using another method of communication. Always be sure you can trust the sender before sending personal information. The sender may use this information to steal your money.

Is There a Sense of Urgency in the Email?

Most scammers will act as if the matter is urgent. These emails usually request help, money, financial information, or passwords. Sometimes they'll even urge you to follow a link within 24 hours. They’ll insist that if you do not, your account will be deactivated.

Scammers use these "urgency" tactics to make people too panicked to realize something is off. If they give the victims time to think it over, they will most likely figure things out. Ask yourself whether the request makes sense before taking any action. Additionally, you could double-check with a related contact. 

How To Protect Yourself?

Spear Phishing Protection

Anyone can become a victim of spear phishing. Its direct and personal approach makes it challenging to identify. However, it’s everyone’s responsibility to learn what helps protect them from phishing attacks

It’s already hard to recognize spear phishing attacks. Sometimes cybercriminals do their job so well that we can’t comprehend that it’s a scam. Fortunately, there are other ways to protect yourself against these scams. 

Have a Response Plan Ready

Protecting yourself and preventing spear phishing attacks is vital. However, it’s equally important to be prepared for the worst.

While most large businesses have dedicated cybersecurity teams, this isn’t always the case with medium- and small-sized organizations. This can confuse people on what to do during an emergency, and responsibility will fall to general management that lacks the knowledge to respond appropriately.

Create a designated team to act quickly and distribute their contact information to all employees. The faster a mistake is caught, the less time criminals have to do damage.

Think Before You Act

As mentioned before, be wary of emails imploring you to act immediately, asking for personal financial information, and offering deals that are too good to be true. Double-check the email address and ensure that you trust the sender before clicking on links and attachments.

Install and Update Security Software

Equip your computer with regularly updated anti-virus software, anti-spyware, firewalls, and email filters. These security systems will warn you about any potential threats to your device.

It’s best to use threat detection solutions with a focus on machine learning and artificial intelligence. This allows them to identify and block advanced phishing attempts without disrupting your workflow. These tools automatically analyze emails and messaging applications for malicious attachments or URLs.

Aside from this, updating your regular software will also be beneficial for you in this regard. This is because they contain critical patches that protect you against cybercriminals.

Beware of Hyperlinks

Avoid clicking on any hyperlinks in emails. Unless you are sure the sender is trustworthy, it may be a scam. Instead, type the URL directly into your address bar. You may also check the URL by hovering over the hyperlinked text. This will reveal the full address.

Use Stronger Authentication

Set up multi-factor authentication methods for your accounts. This will make it harder for scammers to access your personal information. For example, you could opt for a one-time PIN sent to your mobile device. Now, the cybercriminal would need more than a username and password to log in.

Make Your Passwords Long and Strong

Make your password as strong as possible. Combine capital and lowercase letters while adding numbers and symbols. This will make your accounts much more secure. Another important tip is to avoid using the same password for multiple accounts. This could make you vulnerable to security breaches.

Contact the Sender

Sometimes the scam is so elaborate that it's difficult to tell whether the email is trustworthy or not. You can try and find out by using a different method of communication before responding. Alternatively, you could check with a related contact. This may include a relevant contact within the supposed sender's company. You could even contact their customer service department.

About the Author
IDStrong Logo

Related Articles

4 Most Common Bitcoin Scams

Scams are creeping into all areas of life these days. Any new type of technology is at risk. Bitco ... Read More

Romance Scams, The Love to Escape from

Scams have been around a long time, that’s nothing new. One of the most disturbing and heartbrea ... Read More

Top 6 Craigslist Scams and How To Avoid It

Craigslist is a website used for localized classified ads. It was founded in 1995 by Craig Newmark ... Read More

Common PayPal Scams & How to Prevent Them

PayPal is one of the top digital currency exchanges in the world. Nearly everyone has heard of Pay ... Read More

Cash App Fraud: What to do if You've Got Scammed Through Cash App

Peer-to-peer payment apps like Cash App, Venmo, Zelle, Apple Pay, Google Pay, and Facebook Payment ... Read More

Latest Articles

Google Voice Scams: What They Are and How to Stay Safe

Google Voice Scams: What They Are and How to Stay Safe

Google Voice scams continue to pose a risk for users of this service. Scammers continuously attempt to lure users into divulging their verification PIN code.

What Are Pretexting Attacks: Scam Types and Security Tips?

What Are Pretexting Attacks: Scam Types and Security Tips?

Have you ever received a text from someone you do not know? Did you become alarmed by the message? Did the message contain information about you and the people you know?

What is a Time-based One-time Password (TOTP)?

What is a Time-based One-time Password (TOTP)?

Authentication is the process that verifies the user's identity to control access to resources, prevent unauthorized users from gaining access to the system, and record user activities (to hold them accountable for their activities).

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Notice

By proceeding with this scan, you agree to let IDStrong run a Free Scan of supplied parameters of your personal information and provide free preliminary findings in compliance with our Terms of Use and Privacy Notice. You consent to us using your provided information to complete the Free Scan and compare it against our records and breach databases or sources to provide your Free preliminary findings report.

Rest assured: IDStrong will not share your information with third parties or store your information beyond what is required to perform your scan and share your results.

Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close