What is Spear Phishing?

man spear fishing

No, it's not spearfishing. That is a completely different topic. So if you're looking for different ways to fish in a lake, this article isn't for you.

If you're wondering how data breaches are actually done? How cybercriminals execute an attack and pick their methods? I'd encourage you to continue reading.

spear phishing security

Phishing vs. Spear Phishing

Spear phishing is targeted version of phishing.

Phishing

Phishing is an exploratory attack that targets a broad audience. For example, once information, such as bank credentials, is stolen, the attackers have completed their goal and got what they were looking for. 

Spear Phishing

In spear phishing, gaining access to credentials and personal information is phase one of the attack. That information is used to gain access to the target network—a move that ultimately leads to a targeted attack.

So, what is spear phishing?

In this targeted form of phishing, they use fraudulent emails to target a company to gain access to their confidential information. These attacks usually get through email filters and antivirus'. They trick you into opening an attachment or click a link that is malicious. These emails look like a legit email; that's how they are so successful. Once these links are opened, it takes you to a specific website with malware. The attackers can then establish their networks and move forward with the targeted attack.

How can you defend against spear phishing?

These attacks can result in data breaches. Some notable incidents that were attributed to spear phishing have affected companies such as JP Morgan, Home Depot, and Target. These companies lost millions of dollars and stolen customer records. Many small to mid-size businesses are also being targeted along with larger enterprises because attackers see them as an easier target. Usually, smaller companies have the mentality of "that wouldn't happen to us" and have less security infrastructure in place. Not only do they see smaller companies as an easier target but also a backdoor into larger corporations.  
  1. Have your IT department create a strong security infrastructure in place. 
  2. Employee education is critical to combat the different techniques used. By training on:
    • Misspellings
    • Odd Vocabulary
    • Suspicious Mails
  3. An expanded and layered security solution that provides network administrators the visibility, insight, and control needed to reduce the risk of targeted attacks regardless of the vector of choice.
  For Further Reading: Trend Micro