What Is Spear Phishing and How To Avoid an Attack

Nick Morpus

Edited by Owen Dubiel

Updated

Disclosure: Our content is reader-supported, which means we earn commissions from links on Digital. Commissions do not affect our editorial evaluations or opinions.

Contrary to popular belief, most cyberattacks don’t rely on some distant attacker “hacking their way into the mainframe” or whatever caricature Hollywood would have you believe. Most attacks are due to careless employees leaving the door open for attackers to walk in and take what they want.

Most cyberattacks use deception to manipulate people into giving access to systems, data, and money. This is known as social engineering. Think of it as con artistry for hacking. One of the most popular types of social engineering is phishing, including targeted attacks known as spear phishing.

Read on to learn what spear phishing is, how to avoid it, and find resources and tips for staying protected from spear phishing.

Key takeaways: 

  • While phishing involves attempting to get sensitive information from as many people as possible, spear phishing is a more targeted scam aimed at a smaller number of high-value victims.
  • Phishing attacks are widespread, impacting companies of all sizes.
  • Train your staff to stop the signs of a possible phishing attack and install policies that minimize their odds of success.

What is Phishing?

Phishing uses email or other online communication means — most often email — to fool victims into clicking on malicious links. This results in revealing sensitive information and providing gateways for attackers to plant malicious software.

To maximize the number of victims, attackers typically send phishing communications to a large target pool. These attackers use all kinds of well-known brands and common time-sensitive issues to gain trust and urge actions meant to extract information from their targets.

For example, a popular phishing scheme uses the name of a major bank, such as Chase, Wells Fargo, or Bank of America, in the attack email and claims that an issue has come up with a personal account.

The email prompts the victims to click on a link to resolve the issue, which then often leads to these tricks:

  • The link goes to a fake landing page intended to mimic an official one. It prompts the victim to enter sensitive login information or other identifying information.
  • The link will download malware, ransomware, spyware, or similar malicious programs.
Screenshot of an email for a $1,000 gift card for chase.
An example of a phishing email. Note the long — and irrelevant — sender address as well as the broken image and “Chase” spelled with a lowercase “c”. Source: Personal screenshot

These types of attacks appear not only in emails but also in social media messages, forum comments, and many other online communications.

What Is Spear Phishing?

What sets spear phishing apart? The major difference is the target.

While phishing relies on sending out communications to as many recipients as possible, spear phishing is a focused, individual attack using customized messages.

How to Avoid Spear Phishing

Like most cybersecurity threats, the most important thing you can do to avoid spear phishing is to teach your staff how to spot them.

Approximately 98% of cyberattacks rely on social engineering. With so many attacks relying on manipulating personnel within your organization, your staff must be trained to spot phishing and spear-phishing attempts and what to do when receiving these messages. Here are some suggestions.

  • Confirm the sender’s email address: This is one of the easiest ways to verify whether the message is from a legitimate source. Spear phishing attackers typically attempt to impersonate trusted individuals, such as a company CEO or manager, to extract information from targets. If the email address or message seems questionable, verify whether this is the official address of that sender by checking it against company records or your inbox.
  • Inspect message content: Message content is another potential red flag when dealing with spear-phishing emails. These emails are sometimes poorly written, sprinkled with identifying information you can find online, and sometimes even have outdated company graphics to fool you into believing the email is legitimate. These emails make odd requests for information that have never been asked before, such as payment status or contact information.
  • Check the subject lines: Subject lines are a great place to look for warning signs of phishing attempts. Some attackers use words like “urgent” to inspire action or include a “Re:” in the subject line to trick targets into thinking it’s part of an ongoing conversation.
  • Question links and attachments: Spear-phishing attacks frequently deliver malware via email. These emails include prompts to click on links. If you click on the link, it may cause a malicious file download. One way to safely verify a link is by right-clicking on it and using the “inspect” tool to check where the link is supposed to go. If you still aren’t sure, there are link inspection services, such as Scanurl.net and PhishTank, that look for all kinds of suspicious materials.

Get Anti-phishing Software With These Features

Knowledge is powerful when preventing spear-phishing attacks. When your staff is your weakest link, it’s important to properly train them. Make sure you include this training when putting together your digital security plan.

There’s always the possibility that an attacker slips through and gets the best of someone within your organization. That’s why it’s important to invest in anti-phishing software as a second line of defense against attackers taking advantage of your employees.

Anti-phishing software is meant to detect phishing attempts and actively prevent these processes from going through. When selecting anti-phishing programs, there are several key features you should have:

  • Spam filters: Email providers like Microsoft Outlook and Google’s Gmail have built-in spam filters, but even they can’t stop every clever attempt to land in an employee inbox. An additional spam filter provided by anti-phishing software helps to catch those sneaky emails that get through.
  • File identification systems: Your anti-phishing software must be able to scan emails for malicious files to prevent unintentional downloads.
  • Link scanning: Malware and data extraction websites are typically embedded in links. Anti-phishing software must be able to scan and prevent users from clicking on dangerous links.
  • Integrations: Any worthwhile anti-phishing software should be able to integrate with some of the most popular office tools such as Office 365, G-Suite, and Slack.

Whichever software vendor that you go with, these features are the minimum for preventing spear phishing attacks. Anything less leaves you and your organization potentially exposed to clever online predators. The good news is many antivirus software options include anti-phishing features.

Who Are the Most Likely Targets of Spear Phishing?

While your entire organization should be educated on the dangers of spear phishing and the methods to prevent such attacks, certain roles are more likely to be targeted, such as:

  • Executive assistants: Assistants are a prime target of spear phishing attacks since they have a lot going on in their day-to-day work and may miss a carefully structured attack. These assistants are high-value targets since they regularly have access to all kinds of sensitive information, including payment methods, executive travel plans, and employee data, and have their hands in many different departments of the organization.

These kinds of targets are especially vulnerable as new employees since they have so much access to information with very little understanding yet of how things work. New assistants must be trained on avoiding spear-phishing attacks.

  • Sales personnel: Working in sales is a fast-paced role with regular opportunities to speak with people outside the business. Sales personnel are given access to lots of intellectual property, making them fantastic spear-phishing targets. Attackers look to exploit their willingness to speak with outside personnel to gain access to your organization.
  • Finance personnel: Those in your organization with access to financial information are bound to become targets for spear-phishing attempts. The level of personally identifiable information and sensitive company data makes them valuable catches for any hacker.
  • Human resources: Just like finance, human resources departments contain personally identifiable information. Since employees receive communications from all over the organization, clever hackers look to them as an entry point to access valuable company data.
  • C-level executives: It’s harder to gain access to C-level executives because they’re guarded by gatekeepers such as executive assistants. Some hackers clever enough to gain entry through a CEO or chief financial officer (CFO) get access to mountains of valuable information.

While it isn’t inconceivable that an attacker might target a chief technology officer (CTO), chief information security officer (CISO), or other IT personnel, these attacks aren’t as common. From an attacker’s perspective, why sink effort into a tough target when an inexperienced assistant or salesperson provides an easier path?

Education and Protection Are Key

The threats mounting out there may seem insurmountable, but they’re all built on the same ideas. Hackers want the biggest payoff for the smallest amount of effort.

Stopping most attacks requires educating your workforce and providing the right computer security software tools to frustrate hackers so they turn their attention elsewhere.

Frequently Asked Questions About Phishing

What is ‘phishing’?

“Phishing” refers to sending fraudulent messages (typically emails, but also texts or voicemails) that attempt to trick recipients into revealing private information or downloading malicious software. These messages are often purportedly from well-known businesses such as banks and retailers.

How successful are phishing attacks?

According to UK service technology company AAG, in 2021, a typical phishing campaign had a click rate of 17.8%. Those that also incorporated phone calls were successful more than 50% of the time.

What’s the difference between spear phishing and phishing?

A spear-phishing attack targets a small number of high-value targets. A conventional phishing attack sends numerous messages to hit as many people as possible.

What is a ‘whaling’ phishing attack?

Whaling refers to phishing aimed at high-profile, and often wealthy, individuals, such as celebrities, sports figures, or well-known executives of major corporations.

Nick Morpus Avatar
Nick Morpus
Nick Morpus is an analytical cybersecurity specialist with an NCSA/NCSP from NextGenT. He has experience in cyber threat hunting with Wireshark, NMAP, Kali Linux, and many other tools. He is also well-versed in cloud and perimeter security concepts including SASE architecture, Zero Trust, VPNs, firewalls, and SD-WAN.
Scroll to Top