What Is Spear Phishing?

What is spear fishing in cyber security? In this context, spear phishing is a cyberattack that uses malicious emails to target computer and network users at home or in the workplace. What’s the point? The cybercriminals’ objective in these attacks is to steal sensitive information like passwords and other login credentials or to infect the target’s device with malicious software, also known as malware. 

Spear phishing is so named because of the attack’s targeted nature. Rather than casting a wide net to scoop up whole groups of computer or network users, it targets specific individuals. The hackers research their targets so they can write email messages that look like they are coming from trusted senders. Using social engineering tactics, they urge the victim to take immediate action or to verify important information. When the scam works and the victim clicks on the link in the spear phishing email, the attacker is able to steal that legitimate network user’s login credentials and gain access to the network and its sensitive data.

2023 cyber security statistics reveal the scale of spear phishing and social engineering attacks:

• In 2019, 88% of organizations around the world experience spear phishing attacks 

• 90% of social engineering attacks target employees vs. technology

• Social engineering attacks take, on average, 270 days to identify and contain

• CEOs are targeted 57 times per year, on average, by social engineering threats

Spear phishing is 1 of 3 commonly used phishing attacks. The others are phishing and whaling. The distinction between the 3 types of attacks generally lies in the type of victim the cybercriminals are looking for.

In the standard version of phishing, attackers have no specific target. Their phishing email campaigns are sent to whole email contact lists that could number in the thousands. They sometimes manipulate the domain name from which the messages are sent so that it mimics the domain of a trusted or familiar source, like a bank or a payment service like PayPal. Another strategy, called email spoofing, uses open email servers to manipulate the domain name so that it appears to be correct, as in paypal.com, (versus payypal.com or some other variant) even though the message isn’t actually from anyone in that organization. 

Spear phishing is a much more targeted attack using more compelling messages. In these attacks, the cybercriminals have done some research to uncover basic information that will enable them to send messages to a much smaller number of users with high-level privileges and make their messages seem legitimate. 

Some popular spear phishing strategies involve customer complaints in which a hacker may pose as a customer service representative, security alerts where a fake text or email message notifies the user of a compromised account and asks the user for authentication, or vendor impersonation where the attacker impersonates a legitimate vendor and asks the user to click a link to authenticate their account before it expires. 

Spear phishing attacks aren’t limited to large corporations exclusively. Smaller companies can also be targets because cybercriminals know that they may have fewer resources to protect their networks from hackers.

The third type of phishing attack is called whaling. Also known as CEO fraud, whaling refers to an attack on upper-level, C-suite executives with high-level account permissions. As in spear phishing, the attacks of these high-profile individuals are more researched than in standard phishing and involve social engineering tactics, but they are likely to be more elaborate.

The personalization of spear phishing attacks is exactly what makes them so effective. Here’s how they work:

1. The attackers begin by conducting thorough research of their targets. This will help them craft messages that appear to be legitimate and increase the likelihood of successful attacks. Attackers visit social media sites like Facebook and LinkedIn to gather personal and professional information about their targets. The more sophisticated cybercriminals might use machine learning algorithms to scan massive amounts of data and identify high-level targets.

2. Equipped with the acquired personal information, the cybercriminals craft a seemingly legitimate email message that gains the target’s attention and creates pressure for the target to take some action. 

3. If the attackers have done their job well, the distracted victim lowers their guard, takes the bait and clicks through to the link or downloads the attached file.

4. Before the victim realizes they’ve been hacked, their computer is infected with malware or they’ve given away login credentials that enable the hackers to unlock access to the company’s network and sensitive data. 

Organizations can establish a robust line of defense against spear phishing and other cyberattacks by following some basic protocols.

• Security awareness training: Advocated by most cyber security decision makers, a combination of periodic security training and technology solutions is effective. This methodology should involve simulations of real-world attacks.

• A people-centered security posture: Organizations should adopt solutions that enable them to see who’s being attacked and how, and whether the individual fell prey to the attack. 

• User training and reporting: Train network users to spot and report malicious emails, and use simulated phishing email messages to stop attacks and identify the individuals who are particularly vulnerable. 

• Avoid sharing credentials: Users should be instructed to never share credentials during phone calls.

• Establish verification procedures: Even if the sender appears to be a legitimate employee or vendor, any message asking for a financial transaction needs to be verified. Encourage employees to type the domain the message was sent from into a web browser and authenticate from the official website instead of clicking any links contained in the email message.

If you’d like to prepare to pursue a career as a cyber defender, DeVry can help. Our online Bachelor’s Degree Specialization in Cyber Security will help you explore how to defend networks, systems and applications against online attacks with hands-on learning opportunities and help you prepare to pursue industry-recognized certifications. Earned as part of our Bachelor’s Degree in Information Technology and Networking, this hands-on program can help prepare you to pursue careers like computer systems analyst, security analyst, penetration tester and other important cyber security-related roles. 

At DeVry, our 6 academic sessions per year allow you to start when you’re ready and learn at your own pace, finishing on a regular or accelerated schedule that meets your personal and professional goals.