A spear can cut and slice with extreme precision. When placed in the right hands, it can beat swords and soldiers to the ground in a heartbeat. While regular phishing attacks are usually sent to any random Joe or Jane, spear phishing is customized to attack specific individuals, selected groups, or organizations. The aim is for the attack to cause harm to businesses big and small… and to you, the individual.
Aiming your spear
Spear phishing is ultimately a more advanced form of phishing, wherein attackers use social engineering skills and often spoofed emails to target their chosen victims. Email spoofing is a cool (if very malicious) technique used in phishing attacks to hoax people into believing that an email originates from a person or entity they can trust, or they personally know. This could be your friend, colleague, HR team or even the police. Basically, anyone relevant to you.
Stick 'em with the pointy end!
When attackers are making regular phishing attacks, they can use an already created template, add a link to it with a generic name and a mass of recipients. It’s so easy that it’s almost like robots working on an assembly line. Luckily, bulk phishing emails are quickly detected, and phishing sites are amongst the most frequently blocked. Much more effort is required to make a good spear attack. Attackers need to prepare their attack by gathering sensitive data about you, or your company. They will ruthlessly go through your social media accounts, company’s website, and company’s latest news to gain any special information to exploit in the attack. Has your company taken on a new project lately? Timely subjects are great intel for an attacker to tailor attacks relevant to your business. When they do their investigation properly, the spear hits the target.
Spot the approaching spear
There are some characteristics of spear phishing attacks you can look for to distinguish them from traditional phishing attacks.
Spear attacks usually are spoofed emails
The email’s content is adjusted as coming from someone known by the recipient. This motivates the recipient to react to the email, rather than leaving it unread. A sense of urgency is this way harder to resist, leading to irrational decisions. It’s tempting to open an attachment to prevent something bad like an account shutdown if it comes from your IT department rather than some random guy from (off the top of my head, let’s say) Indonesia. Or you can think of a situation where your friend sends you a funny picture from years back. It’s really tempting to open these things right away, isn’t it?
How are they referring to you?
The way you are greeted at the beginning of an email, says a lot about the rest of the message. If the greeting has your full name and the messages includes your position in your company, you are more likely to give it your time of the day. Usually in spear attacks, attackers also add a company signature at the end of the message to make it more reliable. It can be your company's signature if the attacker is impersonating someone inside your company, or a completely fake one. Regular phishing attacks often lack these types of details, or they are poorly made. The greeting “Hello john.doe”, is auto-generated and a suspicious way of greeting someone, but it is still widely used.
What kind of language are they using?
If the contacting person is known to you, the language tends to be a bit laid back. On the other hand, in it is an internal message from someone at your company, the language is usually informative and well written. It is safe to say that, linguistically, regular phishing attacks are worse than the usually perfect-seeming spear attacks.
Are they using sensitive information and facts you may have posted elsewhere?
The most noticeable difference between spear phishing and phishing is how the spear attacks contain information and special facts about the you. When you receive an email about your missing dog and it names your dog, I guess you wouldn’t think twice before replying to the message. Unless your dog happens to be cuddled up next to you. The piece of information can be anything from your company's policies to your mother's maiden name. The point is, that it elevates the message by adding a personal touch.
Now, that we have discussed the key differences between spearphishing attacks and phishing attacks, we will introduce some side-by-side examples from our data. Can you spot the spear? Check the right answers at the end of the post.
1. spear left, 2. spear left, 3. spear right, 4. spear left