Information Security Social Engineering

What is Spear Phishing?

Forget mass-spam emails. A spear phishing attack is a targeted approach to accessing an individual via email. Hackers will research and find information others wouldn’t know about a high-worth individual. This data might come from social media or search engines. They’ll then use the data to create intriguing emails harboring a disguised virus download or fake login portal.

Hackers will use all kinds of common information to create phishing emails. Everything from their address and job title, to subscriptions, hobbies, and holiday plans. Using these details, they’ll craft an email the receiver won’t think to be suspicious of or validate how you may have taught them in traditional phishing training.

Keep reading to learn more about cyber security and how to identify spear phishing.

Human error as an unexpected fault to cyber security

Cyber security is often considered something purely digital security-related. The first thing that comes to mind is HTTPS URLs, secured portals, encrypted passwords and data storage. But human error is one of the most famous lines of attack on an organisation. It’s essential to train your staff on cyber security. And to do so regularly to turn security protocols into a habit successfully.

Spear Phishing vs other phishing techniques

There is a wide range of security scams out there. Phishing is the most common. Phishing involves sending one email to a large number of email addresses, usually disguised as something relevant to most people, such as an Amazon, Google, or Apple email.

It’s the tailored email targeted to an individual that separates spear phishing from normal phishing.

Other types of phishing include Whaling/CEO fraud, where the hacker poses as the individual’s boss and asks for them to complete an action such as sending money or clicking on a link.

Smishing and vishing are telephone equivalents to phishing emails. And finally, angler phishing involves using social media to get past an individual’s defences and trick them into clicking on something.

Teach your team to identify a spear-phishing attack

It’s always better to prevent spear phishing attacks in the first place by securing your inbox settings. But no email system can block all attacks. Instead, use these mentors to turn the undetectable, detectable by teaching your team to identify spear-phishing emails.

Be suspicious of strange requests or phrasing

Spear Phishing emails aren’t all princes from a land far away asking for a £10,000 deposit. Instead, they pose as a friend or a service they know the individual uses. Teach your staff to weigh up the likelihood of certain requests, such as re-validating login details or sending money to a friend’s ‘new’ bank account.

Use an encrypted password saver

Hackers often create fake login portals to capture individuals’ data and passwords. Use a password saver for all of your logins which autocompletes when it recognises an address. If your password saver isn’t playing ball, you’ll know something is afoot.

Check the destination of links before clicking

Sometimes all the hacker needs is a single click. Before clicking on any link (ever, ideally), run the link through a Link Redirect Checker. These free tools run the link securely to identify where it takes you and if it contains any hidden downloads.

Don’t open suspicious or non-work emails on work devices

Our work devices contain large volumes of sensitive data. Teach your staff to avoid opening unexpected or suspicious emails on work devices. Instead, they should delete the email and ask the sender to use their personal email account. Or, if the email is work-related but suspicious, see if there is a second device or isolated way to open the email.

Examples of spear-phishing emails

Hackers use spear-phishing emails to gather high-value information, meaning the hacker is likely to go to lengths to design something unique and unsuspecting. As such, something as simple as email awareness can go a long way to protecting your business.

Here are just a few spear phishing examples for the email topics a hacker might use:

  • Please click here to download the new handbook from HR
  • I’m away on holiday now, so I’m using my personal email. Please can you send me the files from work?
  • Can you review this project I’ve been working on?
  • Here’s the latest version of our internal company software
  • I heard you’re off on holiday soon. I’ve used this site to find great places to eat while I was there.
  • Hi, I think you still owe me for the bits of the holiday I booked. Can you send it to me via my new bank details?

Interested in training and protecting your organisation from a spear-phishing attack? Speak to our cyber security team at CyberCrowd about staff training and security audits.