Glossary Term

Spear Phishing

Spear phishing involves the targeting of specific organizations or individuals in an effort to steal sensitive information such as account credentials or financial information. By acquiring personal details on the victim in advance – such as their hometown, job title, interests or favorite websites – spear phishing hackers disguise themselves as trustworthy identities and typically access sensitive information via email-spoofing or by infiltrating other online messaging systems.

Spear Phishing vs. Phishing

Spear phishing is often confused with phishing, as they both generally refer to online attacks that seek to acquire confidential information. However, it’s important to note that unlike spear phishing, phishing attacks aren’t personalized. Usually sent to large quantities of users at the same time, phishing attacks take a high-volume approach that strives to get at least one person to click on a spoofed email link and provide their personal information or download malware.

Spear phishing requires more thought and time than phishing since it targets a specific victim. Spear phishing hackers work diligently to obtain as much personal information about their victims as possible to effectively impersonate trusted contacts, making their spoofed emails appear legitimate and highly targeted. Additionally, spear phishing often will not rely on malware instead opting for credential theft and other malware-free approaches. Given this and the level of customization involved with spear phishing, it can be more difficult to identify than large-scale phishing attacks.

Three Common Spear Phishing Techniques

Since spear phishing can be so difficult to spot, it’s important to be well-versed in the various types of this attack method and continuously be on the lookout for any suspicious forms of communication. Below are three common spear phishing techniques frequently employed by hackers:

  1. Business Email Compromise: Also known as “CEO Fraud,” Business Email Compromise (BEC) attacks are when hackers access or spoof an email from a senior executive such as a CEO or CFO and leverage it to request money, documents or login information from another employee. Those targeted can include other executives, senior staff members, company attorneys, or trusted vendors and partners. Successful BEC attacks result in access to the victim’s business systems, unrestricted access to the victim’s employee credentials, and potentially massive financial losses for the company.
  2. Whaling: Whaling attacks are another form of spear phishing attack that aims for high-profile targets specifically, such as C-level executives, politicians, or celebrities. Like spear phishing, whaling attacks are customized for their intended target and use the same social engineering, email-spoofing, and content-spoofing methods to access and steal sensitive information.
  3. Clone Phishing: Clone phishing involves hackers creating a nearly identical replica of a legitimate message to trick the victim into thinking it’s real. Sent from a seemingly trusted address – often using a typosquatted domain – the message will appear valid and include whatever content the victim expects to receive – however, the attachment or link included in the message will be swapped out for a malicious one. These attacks often involve cloned websites with a spoofed domain that mimics a legitimate one to trick the victim into providing sensitive information.

With all of these techniques, we are seeing an increasing trend where personal email addresses are being targeted. These are rarely protected with enterprise-grade email security but are still accessed from corporate networks and devices.

Spear Phishing Prevention Best Practices

Spear phishing attacks can lead to dire consequences. Ubiquiti Networks suffered a $46.7 million loss after it was hit, for instance. Even giants like Facebook and Google haven’t been immune, having lost $100 million via an elaborate Lithuanian email scam in 2018. To prevent spear phishing from devastating your organization, consider adhering to the below best practices:

  • Keep your software up to date. Where possible, enable automatic software updates. In doing so, your browser, email client and various security tools stand a far better chance of identifying any and all instances of spear phishing and minimizing potential damages. This is especially true with recent trends that use browser plugins as the persistence mechanism.
  • Practice good password hygiene. Never reuse passwords across multiple accounts, because if an attacker gains access to one password, they’ll then have access to all of your accounts. Password manager tools can be a helpful solution both for keeping track of different login credentials and ensuring passwords are as strong and complex as possible.
  • Enable two-factor authentication. Equally important to always using unique and strong passwords is enabling two-factor authentication. Almost every application now offers this crucial security feature and it’s easy to set up. While it’s no magic bullet for preventing spear phishing attempts, it does add an extra obstacle for hackers.
  • Train all employees. One of the best lines of defense against spear phishing is an educated workforce. Make sure everyone in your organization knows how to spot sophisticated phishing emails based on suspicious email domains, strange links, odd wording, or unusual information requests. When trusted messages include links, have employees get into the habit of always going direct to the website in their browser, rather than following the link from their email. Employees should also be trained to maintain the same level of diligence with their personal email addresses and social media accounts.
  • Use common sense. If you receive an email from a “friend” asking for personal information or a “colleague” requesting a company wire transfer to a certain “vendor,” think for a minute. Is the sender’s address one you’ve seen them use before? Is it normal for them to be asking you for this information? When in doubt, confirm directly with the source using previously stored contact information and through offline mechanisms to see if they were, in fact, the party who contacted you before taking any other action.

Overcoming Spear Phishing Remediation Obstacles

Remediating spear phishing attacks can be a monumental task. Beyond confirming a suspicious email, security teams need to carry out several investigatory steps including identifying who was targeted, how many users out of that group clicked the malicious link, and what can be learned about those users to find any commonalities and assess the threat. Answering these questions can take days if not weeks, and requires security teams to cull through proxy logs, generate a list of IP addresses of who visited the link in the phishing email, and cross-reference across multiple data sources to pinpoint the users likely affected.

Spear phishing remediation has been made even more difficult thanks to the ongoing cybersecurity skills gap. Most companies are woefully underprepared to defend their assets against spear phishing – particularly when the victims themselves may not realize they’ve done anything out of the ordinary. As such, businesses are forced to rely on a limited pool of security analysts – many of whom aren’t qualified for threat hunting and can only manage traditional alert-response systems. As a result, follow-on attacker activity and network intrusions such as lateral movement or data exfiltration can go unnoticed until it is too late.

To successfully combat spear phishing, resource-strapped security teams should leverage context-aware automated security platforms with AI and analytics technologies. Automation is ideal for reducing complexity, crunching massive amounts of data and augmenting humans by surfacing the information needed in a matter of seconds, rather than days or weeks. For instance, by automating an organization’s network traffic analysis efforts, security teams can more efficiently view all users and devices that have used any protocol to communicate with servers linked to the attacker domains and infrastructure.

Additionally, by providing the ability to identify commonalities by uncovering whether a hacker targeted a random group of email addresses or specific users, automated security platforms allow organizations to quickly determine if hackers targeted individuals who have similar access levels or are connected through a specific project, thereby allowing security teams to immediately update the threat assessment, better determine the hacker’s larger motive and focus response and remediation efforts.

Also See


If you liked what you just read, subscribe to hear about our threat research and security analysis.