Sep 16, 2021   |   Tom Barton

What is spear phishing?

You may have already heard of the term phishing and why phishing attacks happen, but this isn’t the only social engineering tool that cyber criminals use to steal sensitive and confidential information. Another commonly used method of attack in the cyber world is spear phishing. But what is spear phishing, and how can you identify a potential attack through this method? 

To answer this question, first, you need to understand what phishing is.

 

What is phishing?

Phishing is a social engineering tactic whereby cyber criminals send out malicious communication in bulk to request users to respond, download attachments, or click links. This often leads to malware being installed onto the user’s computer, giving the criminal the foothold they need to access your network and steal the data they want.

Now you know what phishing is, the definition of spear phishing will make more sense. 

 

What is spear phishing?

Unlike phishing, this social engineering tactic targets individuals to steal their confidential information such as bank details or passwords.

Whereas phishing is a generalized, generic attempt aimed at a large group of users, spear phishing will be more personalized and will often be edited with details specific to that victim. 

This social engineering scheme involves more time and effort from cyber criminals. This is because they need to collate information and facts on their victim for the communication to appear as genuine as possible. 

To help you remember the definition, think of a physical spear. Using a spear, you can’t target more than one item at a time. Spear phishing is all about the attacker spearing that one victim, that one target, for information. 

 

How do they get their information for their spear phishing attempt?

Cyber criminals will target users who have put personal information on the internet to make it easier to gather the details they need. They will often include viewing social media profiles to provide them with a lot of information such as; friends list, geographic location, email address, and any posts about recent purchases. They may also be able to see the victim’s hobbies and specific areas of interest. 

 

What happens next?

Once they have enough information, they will create a genuine-looking email that acts as a friend or someone they know to send a persuasive yet fraudulent communication. 

These may also contain a sense of urgency to help increase the chance of success alongside explaining why it is required immediately. The information requested is often similar to that of a phishing attack. There will often be a malicious attachment or a link leading to a website that asks for personal details, including passwords. Alternatively, if the attacker is pretending to be a friend, they may ask for login details directly for various websites such as social media. Once they acquire this, they will attempt to access other websites with these logins to steal confidential information, including credit card details.

Due to the personalized, individual-focused method of attack, it is often harder to identify spear phishing attempts. This means these types of social engineering schemes are becoming more prevalent in this digital age. 

See how Qush protects your employees and prevents data loss