Spear phishing is a phishing method that targets specific individuals or groups within an organization. It is a potent variant of phishing, a malicious tactic which uses emails, social media, instant messaging, and other platforms to get users to divulge personal information or perform actions that cause network compromise, data loss, or financial loss. While phishing tactics may rely on shotgun methods that deliver mass emails to random individuals, spear phishing focuses on specific targets and involve prior research.
A typical spear phishing attack includes an email and attachment. The email includes information specific to the target, including the target's name and rank within the company. This social engineering tactic boosts the chances that the victim will carry out all the actions necessary for infection, including opening the email and the included attachment.
Spear Phishing and Targeted Attacks
Spear phishing is typically used in targeted attack campaigns to gain access to an individual’s account or impersonate a specific individual , such as a ranking official or those involved in confidential operations within the company. Trend Micro researchers found that more than 90 percent of targeted attacks in 2012 were derived from spear phishing emails.
Spear phishing attackers perform reconnaissance methods before launching their attacks. One way to do this is to gather multiple out-of-office notifications from a company to determine how they format their email addresses and find opportunities for targeted attack campaigns. Other attackers use social media and other publicly available sources to gather information.
How to Defend Against Spear Phishing Attacks
No matter where you are in the organizational structure, attackers may choose you as their next spear phishing target to snoop inside an organization. Here are some best practices to defend against spear phishing attacks:
- Be wary of unsolicited mail and unexpected emails, especially those that call for urgency. Always verify with the person involved through a different means of communication, such as phone calls or face-to-face conversation.
- Learn to recognize the basic tactics used in spear phishing emails, such as tax-related fraud, CEO fraud, business email compromise scams, and other social engineering tactics.
- Refrain from clicking on links or downloading attachments in emails, especially from unknown sources.
- Block threats that arrive via email using hosted email security and antispam protection.
Related papers and primers :
- Guarding Against The Spear: How Securing Email Can Stop Targeted Attacks
- Covert Arrivals: Targeted Attacks via Employee Inboxes