Phishing for Answers is a video series answering common questions about phishing, ransomware, cybersecurity, and more. These videos are great to share with your colleagues, friends, and family! Today we’re talking about spear phishing.
Although they sound similar and are both equally as dangerous, Phishing and Spear Phishing are two separate types of attacks. Spear phishing is a targeted form of phishing. Phishing in turn is a form of fraud involving a threat actor masquerading as a trusted entity with the aim of acquiring sensitive information from an unsuspecting victim. In the classic version of this attack, the target receives an email that seems to come from a reputable source, such as a major internet or technology company, and is urged to log in to the popular website of the alleged source, for which a URL is provided. Clicking on the URL directs the victim to a fake copy of the website in question. Any information the victim submits to that web page, such as login credentials or credit card information, is harvested by the attacker.
Unlike phishing, spear phishing is designed from the ground up. Meaning they are designed with a specific target in mind. Normally the attacker will try to select a target within an organization and then send an email designed specifically for them. They either know the person very well and their vulnerability, or they are trying to attack a person without a lot of IT knowledge. But once the phishing email is sent, spear phishing works just like phishing. The person is expected to click on a link or download a malicious file. If successful, hackers would then be granted access to your company's information and data. So a single attack like this can be extremely powerful and dangerous.
Users should be trained on how to identify spear phishing emails, avoid clicking links or opening attachments in suspicious messages, and always verify with the sender if something seems off.