Table of Contents
    Home / Definitions / Spear phishing definition
    Definitions 7 min read

    What’s spear phishing?

    Spear phishing is a highly targeted type of phishing attack that focuses on a single user or department within an organization. A staggering 91% of cyber attacks on organizations began as spear phishing. It’s therefore a risk that every company needs to understand.

    A spear phishing attack aims to gain access to sensitive information or a private network within a company. It targets an individual or group by sending them emails designed to look like they come from within the company. This might include human resources or the technical support department, for example. The email will request sensitive information such as login IDs and passwords. Since it appears to come from a trusted interal source, the target is more likely to provide the information. Once hackers get the information, they can gain entry into the company’s secured networks.

    Another variation of this attack will ask the target to click on a link. This link deploys spyware that can spy on sensitive data. Here, all the attacker needs to do is wait, and they will eventually get the data they need.

    How does spear phishing work?

    As a highly focused attack, successful spear phishing requires deep research and careful consideration. Here’s a brief overview of how potential obstacles are managed by the attacker.

    Identify email addresses

    The first step for any spear phishing attempt is to identify the target(s). This means defining exactly what the objective of the attack is (system access, private information), and who can provide access to it. This might involve research on the company website, job listings or LinkedIn to establish key stakeholders, and the relationships between them.

    From there, the attacker simply needs to locate the email addresses of the target(s). This can be done relatively easily using LinkedIn or an email harvesting tool.

    Circumvent Antivirus software

    The chances are high that the target company will be using an anti-virus software or firewall. This would prevent spear phishing emails from reaching the target to begin with – it would simply be filtered out. So a well-executed spear phishing campaign would first establish what anti-virus software a company is using. This can often be established by looking at job listings for the company’s tech department.

    The attacker can now test their message out to make sure it will get through the company’s security filters.

    Social engineering scenario

    With the research done, it’s time for the “story” to be set up within the email. This can take many forms, including:

    • A message from accounts, asking for payment information
    • An email from your boss, asking for login details to a company system
    • An email from your company’s tech department, asking you to click a link containing malicious code

    In all cases, the context and authority of the “sender” make the scenario seem credible. This means an unsuspecting employee might be persuaded to provide the information. This is why it’s imperative to train, and regularly test, all employees on cyber attack risks.

    Harvest sensitive data

    Not all spear phishing emails will be successful. But the ones that are can produce very valuable results for attackers. For example, if an attckers deploys spyware successfully via a link or attachment, they simply need to wait to see all sorts of highly sensitive information.

    Alternatively, if the attacker has convinced the target to provide company login details, the attacker can easily gain admin control of the system in question and start doing serious damage.

    How to spot a spear phishing email

    Since this type of attack normally begins with an email, it’s crucial you know what to look for.

    Here are some of the telltale signs:

    • The sender has an incorrect or unknown email address
    • It asks for sensitive information
    • Its content creates a sense of urgency
    • The message contains links that don’t match the sender or domain
    • The email unexplained attachments

    Spear phishing v phishing

    In simple terms, spear phishing is a subcategory of phishing. Phishing is a broad term for a cyber attack that aims to enter a secure network or view sensitive information, by convincing the target to provide access. This covers a broad array of possibilities. Often, phishing attacks are simply an email sent out en masse in the hope that a few will return some valuable details.

    By contrast, spear phishing is a highly targeted campaign with specific objectives. It identifies the person, or people, within a company that can provide the information or level of access required, and targets them with an email tailored to look credible. In a spear phishing campaign, there is far more focus on research and personalisation, while the amount of emails sent out will be small.

    How to protect against spear phishing

    Cyber attack specialists generally see phishing attacks as a case of “if, not when”. In other words, every company will be targeted by this type of attack at some point. This makes it essential that companies and employees both know what to look for, and how to handle a suspicious message.

    • Manage your online presence carefully. Social media, websites and LinkedIn have made a wealth of personal and professional data available online. Be aware of what information you’re making available online, or make good use of your accounts’ privacy settings to control who sees it.
    • If you’re a business, make sure you’re changing login credentials regularly for your systems. Doing so mitigiates the risk to your company if a cyber attacker does obtain your passwords, since they will only work for a limited time.
    • Treat links and attachments as suspicious. If you receive a link from what seems to be a trusted source, hover over it before clicking to make sure the destination is what you expect. If the URL is anything other than the official website of the sender, you should assume the link is a phishing attempt.
    • Make sure your employees are trained in how to spot a spear phishing attack, and test them regularly using simulations. Knowledge is the very best defense against cyber attacks of all kinds.

    3 famous spear phishing attacks

    Some of the biggest cyber attacks of all time began as spear phishing campaigns. Here are a couple of the best known examples:

    Google and Facebook spear phishing scam

    Even tech giants are sometimes caught off guard. Between 2013 and 2015, a team of Lithuanian hackers perpetrated the most successful spear phishing campaign of all time. The targets were none other than Google and Facebook.

    The attackers established that Google and Facebook were working regularly with a computer manufacturer, receiving goods and services as part of the contract. They then created invoices for those goods and services, but provided their own bank details.  Over the course of two years, the team of hackers received more than $100 million by persuading Google and Facebook executives to pay these fake invoices.

    Crelan Bank

    Belgian bank Crelan fell victim to spear phishing in 2015. The attacker gained access to the email account of one of the company executives. They then used the account to ask employees to deposit money into a bank account controlled by them, siphoning off an estimated $78.5 million in the process.

    Google Drive collaboration hack

    This phishing attack involved a hacker creating a collaborative Google document, and inviting the target to contribute. Inviting collaborators results in those individuals being sent a standard invitation email by Google, which added legitimacy to this attack.

    The target, happy to have been considered important enough to contribute, opens the document and clicks one of the links inside. The link – of course – led to a page where the victim was asked for sensitive data.

    This spear phishing example is particularly clever because it leveraged the “invitation” notification in Google docs. Since Google itself sends this email, it would always bypass spam filters, as wall as adding an air of credibility to the scam.

    Also see the All About Phishing page in the “Did You Know? section of Webopedia for more information, including examples, of phishing.