Spear phishing is one of the biggest cybersecurity threats that organizations must know. According to Symantec’s Internet Security Threat Report (ISRT), 65% of threat actors have used spear phishing emails to attack. Deloitte estimates that 91% of successful cyberattacks begin with a phishing email.
So, what is spear phishing, and how can you best protect yourself? This article discusses everything you need to know, including a few common examples and their types.
What Is Spear Phishing?
Spear phishing means using targeted emails to a specific person from an attacker attempting to impersonate a trusted third party. A spear phishing email aims to trick the recipient into taking an action that allows the sender to execute a cyberattack.
Users may be fooled into downloading malware or revealing their credentials, such as their username and password. This tactic lets the attacker enter the user’s network undetected and steal data or bring down the environment from within. Attackers may also seek information such as credit card numbers, Social Security numbers, and bank accounts that allows them to commit financial fraud.
Because it involves a targeted attack on a single individual or business, spear phishing requires malicious actors to conduct research and reconnaissance on their would-be victims. Hackers may use knowledge such as the targets’ personal and business connections, employers, residence, and even recent online purchases.
Phishing vs. Spear Phishing: What’s the Difference?
It can be easy to get confused about phishing vs. spear phishing. Both terms refer to email attacks that attempt to extract confidential or personal information by impersonating a trusted third party. In particular, spear phishing (a targeted spoof email to a specific recipient as the prelude to a cyberattack) is a subtype of a phishing attack.
The difference between phishing and spear phishing is that phishing is not necessarily aimed at a single target (i.e., an individual or organization). Importantly, many phishing emails do not fall under spear phishing.
For example, mass phishing campaigns attempt to cast their nets to reach as wide an audience as possible. These attacks often impersonate a large, trusted business — such as Amazon or a credit card company — that thousands or millions of people patronize.
On the other hand, spear phishing always has an intended victim in mind. By customizing their attacks to use knowledge of the target, threat actors hope to make spear phishing more sophisticated and effective than a general phishing campaign.
4 Types of Spear Phishing
Spear phishing is a subclass of phishing, but you should be aware of also varieties of spear phishing. Below are some common types of spear phishing:
- Whale phishing: Also called “whaling,” whale phishing aims at particularly wealthy or important individuals, such as business executives. Whaling is an effective spear phishing because these targets often have access to funds or IT resources that lower-level employees do not.
- Angler phishing: This type of spear phishing targets dissatisfied customers of a business on social media. The attackers pose as representatives of the company, asking customers to provide them with sensitive data to “investigate” their cases.
- Barrel phishing: Barrel phishing is a phishing attack that targets many individuals or organizations at once, using a standardized message or template. The name “barrel phishing” refers to the idea that a large number of victims are targeted at once, like fish in a barrel
- Clone phishing: An attempt to mimic the previous messages of a legitimate sender is known as clone phishing. However, the attackers replace the attachments or links in the previous email with malware or a spoofed website that steals users’ data.
Best Practices and Tips
The good news is that there are steps you can take to prevent spear phishing attacks. Follow the security tips and best practices below to defend yourself against spear phishing:
- Educate and train employees on recognizing phishing and spear phishing campaigns.
- Conduct phishing simulations to evaluate the effectiveness of training campaigns.
- Scan external links and email attachments for suspicious behavior.
- Install antivirus and antimalware software.
- Regularly update software and hardware to patch security vulnerabilities.
In particular, spear phishing attacks can be stopped or limited by practicing good cyber hygiene, making it more difficult for attackers to learn about their targets. For example, businesses should avoid publishing email and phone numbers for their employees on their website; visitors can use a contact form to reach out. This method makes it harder for malicious actors to impersonate employees by faking the address in an email header.
Why Should You Pursue the C|EH?
Want to take an active role in preventing spear phishing and other cybercrimes? EC-Council’s Certified Ethical Hacker (C|EH) covers all social engineering techniques in-depth, including identifying theft attempts, assessing human-level vulnerabilities, and proposing social engineering countermeasures. Learn how to detect a phishing attack and perform security audits through hands-on lab exercises. The C|EH helps you master the foundations of ethical hacking and tackle real-world threats. Learn more!
Deloitte. (2020). 91% of all cyber attacks begin with a phishing email to an unexpected victim. https://www2.deloitte.com/my/en/pages/risk/articles/91-percent-of-all-cyber-attacks-begin-with-a-phishing-email-to-an-unexpected-victim.html
PhishingBox.com. (2019). Internet Security Threat Report (ISRT) – 2019. https://www.phishingbox.com/news/post/internet-security-threat-report-irst-2019
About the Author
David Tidmarsh is a programmer and writer. He has worked as a software developer at MIT, holds a BA in history from Yale, and currently a graduate student in computer science at UT Austin.