Spear phishing: Understanding email attacks

Phishing scams – where you receive fraudulent messages pretending to be from a trusted sender designed to trick you into revealing personal data – have unfortunately become widespread and the criminals behind them have refined their techniques.

For example, there are phishing phone calls (called “vishing” for voice-phishing) and phishing text messages (“smishing” for SMS-phishing). And then there is “spear phishing,” a specific form of email phishing that targets individual users.

Several padlocks and combination locks caught on a fishing hook
Protect yourself against scammers who are phishing for your password

What is spear phishing vs phishing?

As people become more aware of the general danger posed by phishing, cybercriminals are targeting their scams more closely to make them harder to detect. To do so, they comb social networks and other public sites to find enough information to send a convincing email to an individual that seemingly comes from a person or business they know and contains personal references. Think, for example of the information about you that might be found through your social media profiles or posts – your email address, the names and profiles of some of your friends, relatives, and coworkers, recent purchases you have been excited about, or places you have visited.

How does spear phishing work?

Armed with the information they have found about you, an attacker can send you an email claiming to be your cousin who is currently on a trip – using their real name and location – begging you to send money because their wallet and credit cards were stolen. Or a friend asking for usernames and passwords so they can access photos you have posted. Or an online shopping site citing a problem with a gadget you recently bought and asking you to click a link for the product recall information.The scammer’s aim is to gather enough sensitive information to access sites like your online banking or even steal your identity, or to trick you into downloading malware containing computer viruses or spyware.

Types of phishing scams

Phishing scams come in all different shapes and sizes. They even have different target audiences! Here are five targeted phishing scams to look out for.
  1. Angler phishing- Phishing attack that usually occurs over social media. A cybercriminal will pose as a company or brand and pretends to be customer service for that company or brand. This can result in someone giving sensitive information with the hopes of being assisted with an issue, instead they have become victim of a cybercrime.
  2. Whaling- A cybercriminal poses as a top company executive or owner in order to steal information from another top executive in the same company. They’re specifically targeting the big fish in the pond. The goal is to get the other executive to divulge sensitive or confidential information that can give the cybercriminal access to various company aspects.
  3. CEO Fraud- A type of spear phishing that targets employees within a company in which the cybercriminal impersonates the CEO. This tactic is used to intimidate or coerce the employee to give access to secure and confidential information.
  4. Smishing- Cyberattack that occurs via text message. Cybercriminals will pose as a company to get you to interact with them. This can also come with a text message and a weird link provoking you to “Check this right now!”  
  5. Vishing- Occurs over the phone in which a cybercriminal tries to get you to tell sensitive information over the phone such as your date of birth, SSN, etc. Recently, cybercriminals have been able to mimic the voice of friends and family with AI technology in order to trick victims into giving them a large sum of money.

How do cyberattacks happen?

According to the National Cyber Security Centre, most cyberattacks happen in four stages: survey, delivery, breach, and the affect. Surveying takes place when available information is analyzed to discover potential weaknesses. Depending on the weaknesses detected, the cyberattack would be tailored to fit the weakness – and this tailored approach is what spear phishing is all about. Next is the delivery of the cyberattack which is the point in which a weakness can be recognized and thereafter exploited. A breach occurs when unauthorized access has been gained to a system utilizing sensitive information. Lastly, the affect can be understood as the lasting impact of the system breach and cyberattack.

An example of this is a cybercriminal looking at your social media pages, especially LinkedIn, and finding out where you work and who your company executives are. They would then pose as an exec from your company and request confidential information urgently. If you fall victim to this type of spear-phishing attack, a breach can happen and the affect will follow shortly after -- e.g., your company could suffer harm to its reputation and financial loss.

Protect yourself from spear-phishing scams

Probably the most important rule in avoiding any type of phishing scam is to think before you click. When you receive an email, make sure that the sender’s name is spelled correctly and that the email address actually matches the name. Mouse over links in emails to see the real URL. Make sure that nothing seems “off” about the email –  for example the spelling and grammar, or an urgent tone that is trying to pressure you. Whenever there is the slightest doubt, don’t click on links or download attachments!
 
Pro tip: Not sure how to check the safety of URLs you receive in emails? Check out our explainer: Is this URL safe?

However, as we explained above, even a message that seems to pass the sniff test could be a carefully crafted spear-phishing hoax. So it pays to take the extra precautions listed below:

Five steps you can take to prevent spear-phishing attacks

  1. Be smart about your passwords. Don’t use the same password or slight variations for multiple sites. Otherwise anyone who gets their hands on your password will have access to all of your accounts. Experts recommend using long passwords with a mix of characters for maximum security. Do not save passwords on devices that others can access.
  2. Be careful about posting your personal data on the internet. Check your online profiles to see what information is available to the public eye. Don’t post anything publicly that you wouldn’t want a potential scammer to see – and make sure your privacy settings are configured accordingly.
  3. Never, ever reply to an email or click a link that requests your personal data or login information. Remember that legitimate businesses or financial institutions will not send you emails asking for your username or password. In fact, they often will only contact you using a separate inbox that you have to access by logging into your account.
  4. Activate two-factor authentication on your sensitive accounts. This adds an extra verification step to the login process, such as entering one-time code generated by a separate application. This may seem like an unnecessary effort, but if you do accidentally give a cybercriminal your password, they still won’t be able to get into an account that has 2FA protection.
  5. When in doubt, reach for the phone! If your boss or friend is really having an emergency, they’ll be pleased if you check in. If your daughter actually needs the Netflix login, you can tell her over FaceTime or text her directly. Don’t be pressured into responding to an email when you can easily check its legitimacy with a quick call.
We hope this information will help you avoid spear-phishing scams. We look forward to your feedback below!

This article first appeared on September 30, 2021 and was updated on November 30, 2023.

Images: 1&1/Shutterstock

310 people found this article helpful.

Related articles

I know where you live: Creepy scam emails with personal details

What does a phishing link look like? How to check links safely

Ask the expert: How to protect yourself from spam and phishing