What is Spear Phishing? Definition, Examples, Advice

July 22, 2019

What is Spear Phishing?

What's the difference between Spear Phishing and regular spam?

Unlike regular phishing emails which are sent out to masses of people at the same time, Spear Phishing is targeted at particular individuals. The goal is ultimately the same though; to lure the victim into clicking on a malicious URL, or to open an attachment.

What really sets Spear Phishing attacks apart is the degree of personalisation involved, hackers will including the victim’s: Name, Job-title, Company, or even mention colleagues or companies they work with. It is these clever customisations that make these attacks so much more likely to fool a victim than the average spam email from a wealthy Prince.

So Spear Phishing isn’t about petty crime or random theft, it’s a sophisticated and persistent attack, often by groups of highly skilled hackers for serious financial gain or the wholesale gathering of IP or customer data.

How does Spear Phishing work in practice?

Emails are sent from an apparently trustworthy source often a website with a large membership, such as Amazon, Paypal or Gmail. By limiting the number of targets, it's easier for hackers to include personal information gleaned from LinkedIn, Facebook and Twitter in the email. Piecing together this personal information is how hackers make a malicious email seem more trustworthy.

Typically, the target of Spear Phishing will be an individual with high-level authority and access such as a Sys Admin, CEO or CFO.

The message in the email may urge the victim to change their passwords to enhance security. However, they are actually being steered toward to bogus websites full of malware or ones which capture their credentials when entered.

Either way, the initial slip-up is all cybercriminals need to gain access to the victim’s networks and begin stealing the data they are after. 

Real-life examples of successful Spear Phishing attacks

• In 2015, Ubiquiti Network’s finance department was targeted. Fraudsters tricked employees into believing that Senior execs were instructing them to transfer $40+ million in funds from a Hong Kong subsidiary to a third party, but the reality the third party accounts all belonged to the fraudsters.

• In 2011, Epsilon suffered a massive data breach. Employees responsible for email were targeted with emails that mentioned them by name, a link then took them to a malicious site where malware was downloaded onto their system. The breach wasn’t discovered for at least four months and led to data on 5 Million of their clients being breached.

How to protect yourself - Tips for individuals

How to reduce the risk - Tips for businesses

Conor O'Neill Pentester and OnSecurity CoFounder

About Conor O'Neill

Conor is our Co-Founder and Head of Product Strategy at OnSecurity. Conor has over a decade of IT security experience, and has held a number of impressive letters after his surname, including M.Sc, CRT, GCIH and CISSP.

Feel free to connect with him on LinkedIn or get in touch with us at OnSecurity to discuss how we can protect your business from Spear Phishing.