What is Spear Phishing?

Companies hacked through a single email. Incredible sums of money stolen or paid in ransom. All because an employee clicked on a malicious link. Unfortunately, phishing attacks affect numerous businesses every year. They are difficult to prevent, but getting to know each type of phishing will help you spot it before it’s too late. So, let’s take a look at spear phishing.

How does a spear phishing attack work?

When an attacker wants to steal money from a company or install malware into its systems, they are likely to target the weakest link — its employees. They select a person who has enough power and access within the company and try to find out as much as possible about them.

It might be done through their or their friends' social media. Tweets, public Instagram stories, and geotags can all be convenient when building a profile on someone. Even the company’s website can be a useful source — not to mention what an attacker could find out eavesdropping on their target’s online communication.

Once they know the person well, they can imitate them in emails to their co-workers. They can also write to the target, pretending to be an important client and ask for favors or minor jobs to be done.

This selective targeting is the reason why this kind of attack is called spear phishing. Like a fisherman who uses a spear to catch a single large fish, the attacker uses tailored social engineering to trick a person into doing something.

Spear phishing vs. phishing

Phishing is the most common social engineering attack out there. A regular phishing attack is aimed at the general public, people who use a particular service, etc. Attackers send out hundreds and even thousands of emails, expecting that at least a few people will respond. Most of them are poorly written, have weird fonts, and multiple typos.

Spear phishing involves research and lots of preparation. The attackers target a specific person, so they spend more time making their phishing email look real. These fakes are so well-crafted, they can be difficult to spot even for a professional, not to mention people who have to go through tens of emails every day. This tactic is more difficult to carry out than regular phishing attempts. But if the hacker succeeds, they get all the information and access they need to finish their attack.

Spear phishing example

Imagine receiving a work email that says, “Hey Susie, could you take care of this invoice for me? Thanks!” If your name is Susie, you often handle invoices at the company, and your boss always ends their emails with a “Thanks!”, you download the invoice attached and transfer the money.

You might find out it was a fake email in a few hours or even the next day, but that won’t bring the company’s money back. The attacker monitored your boss’ emails, found out who is responsible for the invoices, their email, their name, and wrote a letter, perfectly copying the usual tone of voice. They even spoofed the sender’s name and sent it out. The only thing that could’ve given it away was the email address. However, people don’t usually check it in every message they receive.

How to prevent spear phishing?

Companies and organizations are the most common targets of spear phishing. There are several things that any business can do to mitigate the risk of spear phishing. However, most of it focuses on educating the staff.

Whether you outsource your IT operations, or have an in-house IT department, talk to the people in charge of your email systems. Look into standard measures like spam filters, antiviruses, and browser filters. Not clicking, not downloading, and similar recommendations are not an option if you’re dealing with multiple invoices every day. Therefore, try changing the process. For example, have at least two people confirm any financial transaction before sending the money out.

Similarly, companies should encourage their employees to use two-factor authentication wherever possible. This way, even if one password gets out, the account associated with it stays safe because the attacker won’t be able to get into it without the second factor. It might get some time to get used to, especially for less tech-savvy employees, but it’s worth it in the long run. You can rest assured that even if someone is tricked by a phishing email, the company’s accounts remain safe.

Another important thing to keep in mind is the work culture in your company. Many employees find it difficult to challenge their bosses. Therefore, if they receive a spear phishing email, they do whatever it says without questioning the motives behind it. This habit is difficult to break, as it requires changing the way people in the company communicate with each other. But if you work with sensitive information, it might be a good strategy to take.

Personal cybersecurity measures

If hackers want to attack the company you work for, they might try to reach you through your personal email address. When it comes to personal cybersecurity tips, there are a few things people can do to avoid falling victim to a spear phishing attack:

  • Be careful with emails — even if it’s from a co-worker or a friend. If they’re asking for personal information out of nowhere, make sure it’s them before sending anything. Do you use casual language in your work emails? In that case, an email from your co-worker that’s more official than usual is a red flag. Inspect it carefully before doing anything else.

  • Don’t overshare online. If you can, make your accounts private, so only the people you know can see what you post. Even then, don’t share too much personal information. Don’t use geotags, disclose vacation plans, or reveal personally identifiable information, like your phone number, credit card details, birthday, etc. It will make it more difficult for the attacker to build a profile on you.

  • Use software that’s up to date and scan your devices for malware from time to time. There are many ways it can get into your laptop or smartphone without you noticing, so make sure to scan and update your devices regularly.

  • Use completely different, complicated passwords for every account. This way, even if one of them is compromised, the rest of your accounts stay safe. Get a password manager to store all your passwords safely. This way, you won’t have to remember or write down any of them. Need help coming up with new passwords? Try using our password generator for the best results.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.