What Is Spear Phishing?
Spear phishing is a type of email cyberattack that uses "social engineering" techniques to deceive a specific individual into divulging sensitive information, downloading ransomware or other malware, and more. Spear phishing attacks use publicly available or stolen personal data and other information specific to their targets to make their deception more convincing than other broader phishing techniques.
Spear phishing starts as a message, such as an email, that seems to be from a trusted source. Cybercriminals use information they know about their target to make the message appear genuine, and then ask the recipient to take some action, such as opening an attached file or following a benign-looking malicious link.
For example, an email might copy visual elements from the target’s bank and ask the target to verify a transaction or check an important notification. The target follows a link in the email that takes them to a bogus website that looks and feels like the bank’s real site, where a prompt asks for login credentials, confirmation of a credit card number, or similar.
Some attacks employ impersonation, appearing as emails from someone in the target’s address book—a friend, family member, or colleague, for instance. An email from a “friend” might ask the recipient to look at a funny link or download a useful file. Because the target thinks they know the sender, they’re less likely to notice warning signs or suspect a scam.
Types of Spear Phishing
There’s a litany of different techniques and types of phishing scams out there. Let’s look at a few techniques frequently seen in spear phishing campaigns:
Angler phishing: Hackers target users who interact with companies on social media such as Twitter or LinkedIn, posing as company representatives to address complaints, offer deals, etc. If a company representative reaches out to you on one of these platforms, try to confirm their identity before you interact.
Business email compromise (BEC): Attackers gain unauthorized access to a business email account, or create a lookalike account, and impersonate its owner to send phishing messages to the owner’s colleagues or partners. These attacks are commonly paired with wire fraud.
Whaling: Attackers target members of an organization likely to have privileged access—generally senior-level executives or equivalents. These types of attacks are often the most sophisticated and well-planned, making them even more dangerous.
CEO fraud: Closely related to whaling, attackers use this form of BEC attack to impersonate an organization’s CEO or equivalent, creating a sense of urgency in scam messages to employees.
Clone phishing: Phishers send victims emails that seem to be from senders the victim trusts, such as financial institutions or business services. This type of attack often also indicates that the spear phishers have some measure of access to the victim’s email account.
To learn about other common phishing techniques, you can read our companion article, What Is Phishing?
What Are the Targets of Spear Phishing?
Anyone can become a target of spear phishing attacks. If phishers get hold of someone’s personal details, especially confidential information, they can use it to make their attack more convincing. People with important positions in their organizations are generally at greater risk, as they’re often responsible for more sensitive data.
Infiltrating a company’s system can give cybercriminals access to huge amounts of valuable sensitive information, and data breaches—especially in the financial and technology sectors—can cost companies millions in recovery costs, potential fines, and loss of customer trust. The massive shift to the cloud and remote work has made businesses even more vulnerable, as distributed IT environments introduce many more possible vectors of attack.
How to Defend Against a Spear Phishing Attack
Preventing successful spear phishing is a matter of taking the right precautions. General cyber hygiene is a start—the more secure your online data footprint, the lower your risk of becoming a target. At the organizational level, there’s a lot to consider.
Follow Spear Phishing Prevention Best Practices
Take note of these basic guidelines to reduce your overall risk:
Keep operating systems and browsers up to date. Software providers regularly address newfound vulnerabilities in their products, without which your system will be left exposed.
Protect data with automatic backups. Implementing a regular process of system data backup will ensure you can more easily recover in the event of a breach.
Use multifactor authentication (MFA). Zero trust strategies such as MFA, enforced across your organization, create additional layers of defense between attackers and your internal systems.
Follow tight security protocols. Enforce a strong password policy, establish rules about organizational information employees are allowed to share on social networks, and ensure effective countermeasures are in place. Modern security software and effective spam filters will screen out many phishing attempts before they even reach your users’ inboxes.
Ensure your users are educated. Email security won’t catch everything. Your users and your organization at large will be safer if all users understand the basics of how to identify suspicious email messages, report phishing, and avoid downloading malicious attachments.
Learn How to Identify a Spear Phishing Attack
As part of general security awareness training, your organization’s users should all learn how to spot spear phishing red flags, such as:
Overlooked details: Cybercriminals can use spoofing techniques to mimic URLs, email addresses, a company’s branding, and so forth, but minor details can give them away. For example, a suspicious email may look like it’s from a trusted organization, but come from an unfamiliar, mismatched, or incorrectly formatted sender address.
Poor grammar and spelling: Most professional communications—especially business-to-customer messages, such as from a bank—are proofread prior to sending, and most email services automatically flag spelling or grammatical errors. Thus, if a message contains many such errors, it can be more likely that it’s from an illegitimate source.
Unusual language: Sometimes, the language in an email can be suspicious, even if it doesn’t contain errors. It may seem disjointed or otherwise strange in some way. If a message seems to be from someone you know, but the writing style doesn’t seem like theirs, you may have good reason to suspect phishing.
Unusual requests: It can be cause for concern if a message makes an odd request, particularly with little or no explanation. For example, a spoofed email from “your bank” might ask you to confirm your identity by performing a wire transfer to yourself. If a request seems suspect, consider whether a legitimate sender would make such a request. If not, it may be phishing.
An example of a spear phishing email. Pay attention to the unusual phrasing and the framing of specific details.
How Do Businesses Increase Their Phishing Awareness?
It pays dividends to keep everyone in your organization up to date on current security threats and policies. All phishing relies on hijacking human trust, and all it takes is one person innocently following a malicious link for your environment to be compromised.
To prepare your organization, your security awareness training program should educate people about cyberthreats they might face in their role, how to identify spear phishing emails and other targeted attacks, how and where to report phishing attempts, and more.
You may also need to engage the services of cybersecurity specialists. Social engineering techniques are driving the world of cybercrime forward at a frightening speed, and it can be daunting to keep up with the latest developments. Working with experts who know the business inside out, you’ll have all the guidance and support you and your team need.
How Can Zscaler Help?
User compromise is one of the most difficult security challenges to overcome because it relies on exploiting human nature to succeed. By exploiting victims from such close range, spear phishing can be all the more dangerous, quickly leading to breaches. To minimize the damage, you need to implement effective phishing prevention controls as part of a broader zero trust strategy.
The Zscaler Zero Trust Exchange™ platform, built on a holistic zero trust architecture to minimize the attack surface and prevent compromise, helps stop phishing by:
Preventing attacks: Features like full TLS/SSL inspection, browser isolation, and policy-driven access control prevent access from malicious websites.
Preventing lateral movement: Once in your system, malware can spread, causing even more damage. With the Zero Trust Exchange, users connect directly to apps, not your network, so malware can’t spread from them.
Stopping insider threats: Our cloud proxy architecture stops private app exploit attempts and detects even the most sophisticated attack techniques with full inline inspection.
Stopping data loss: The Zero Trust Exchange inspects data in motion and at rest to prevent potential data theft from an active attacker.
While most phishing targets victims at random, spear phishing targets specific individuals. Attackers generally already have some information about their targets before they carry out the attack, which they can use to make their phishing messages much more convincing.
What Are Some Examples of Spear Phishing Attacks?
Between 2013 and 2015, an attacker invoiced Facebook and Google for roughly US$100 million while posing as Quanta, a real technology firm that worked with them. The companies only recovered about half after the attacker was charged.
In 2016, a BEC scammer defrauded the Belgium-based Crelan Bank of more than 70 million euros by posing as an executive and requesting transfers of funds.
How Does Spear Phishing Happen?
Cybercriminals generally craft a spear phishing attack after obtaining information about their target, either stolen or from publicly available sources, such as social media.
What Should You Do If You Receive a Phishing Email?
If you receive a phishing email, you should report it. Don’t respond to it or otherwise interact with it. Your security team, incident response, or IT personnel will notify relevant parties such as software vendors to reduce the likelihood of a repeat attack.
What Are the Two Most Common Types of Phishing Attacks?
The most common types of phishing attacks come through emails with messages designed to trick you into giving up your data or downloading malware. Voice phishing attacks and SMS phishing, in which criminals attempt the same kind of attack over the phone, are also becoming more common.