What is Spear Phishing?
Phishing and spear phishing cyberattacks are quite common. Phishing cyberattacks are undertaken by emailing very large numbers of recipients, often randomly, with the expectation that a small percentage of them will respond, enabling the cyberattacker to carry out their agenda which may be to install malware or to redirect the users to a counterfeit website where they will disclose their personal information such as name, address, phone number, social security number, and/or credit card information. Spear phishing cyberattacks are different because these emails are carefully designed to illicit a response from a single recipient. In a spear phishing cyberattack, a cyberattacker selects one individual target within an organization, often using public information and/or social media, and then they craft an email to that individual that is informed by what they have learned about the individual online or elsewhere. The goal of a spear phishing cyberattack is to obtain confidential information or fraudulent purpose. A spear phishing attack is often conducted through the following steps1:
- The cyberattacker identifies a piece of data that they want. This could be personal identifiable information such as social security numbers, credit card numbers, bank account numbers, or usernames/passwords.
- The cyberattacker identifies who has this piece of data by conducting online reconnaissance on an individual or organization by looking at company websites, profiles, and social media accounts.
- The cyberattacker then researches the cybersecurity protections that the target has in place, such as antivirus software, and looks for exploitable vulnerabilities.
- The cyberattacker crafts an email, and possibly a domain name resembling the entity that they are posing as, and through this message they make an urgent request to take an action.
- The cyberattacker persuades the target to divulge the piece of data that they are asking for, and then use it to commit a fraudulent act.
The following tips will help you to avoid becoming a victim of a spear phishing cyberattack:
Verify links. To quickly check the authenticity of a hyperlink is to hover over the link with your mouse so that the full URL is revealed. Do not click on it if it looks suspicious, or don’t click on it at all and, instead, type the web address in directly.
Check sender address. Spear phishing emails generally look similar to regular email, but there may be subtle differences, such as “O” being replaced by a “0”, or words may be misspelled, or symbols may be added.
Don’t share personal details. Avoid oversharing online via social media accounts or on business profiles. Check on your publicly available information regularly to be aware of how your information appears online.
Alternative communication channels. If you receive an email from someone who does not routinely email you, reach out to them via SMS or phone to verify if their request for information from you is legitimate.
Limit accounts. Each time that you create an account or fills out an online form, personal information about you leaves you and is uploaded to the web. A single data breach of an organization that has your personal information can compromise your personal data, so the less of those that exist, the better.
Keep your software up to date. Updated antivirus software helps to keep your device secure by adding patches for the latest security threats.
Spear phishing clues. Be aware of urgent calls to action, strangely worded messages, attachments, and requests for personal information.
1 Pilette, 2021, “Spear phishing: A definition plus differences between phishing and spear phishing”