Spear Phishing And How Does It Differ from Regular Spam?
Blog Home
>

Spear Phishing And How Does It Differ from Regular Spam?

An Infosec Expert explains how Spear Phishing works. With real world examples and practical advice on how executives and C-Suite can reduce the risks.

Conor O'Neill
Conor O'Neill
Founder & Chief Product Officer
July 22, 2019

What's the difference between Spear Phishing and regular spam?

Unlike regular phishing emails which are sent out to masses of people at the same time, Spear Phishing is targeted at particular individuals. The goal is ultimately the same though; to lure the victim into clicking on a malicious URL, or to open an attachment.

What really sets Spear Phishing attacks apart is the degree of personalisation involved, hackers will including the victim’s: Name, Job-title, Company, or even mention colleagues or companies they work with. It is these clever customisations that make these attacks so much more likely to fool a victim than the average spam email from a wealthy Prince.

So Spear Phishing isn’t about petty crime or random theft, it’s a sophisticated and persistent attack, often by groups of highly skilled hackers for serious financial gain or the wholesale gathering of IP or customer data.

How does Spear Phishing work in practice?

Emails are sent from an apparently trustworthy source often a website with a large membership, such as Amazon, Paypal or Gmail. By limiting the number of targets, it's easier for hackers to include personal information gleaned from LinkedIn, Facebook and Twitter in the email. Piecing together this personal information is how hackers make a malicious email seem more trustworthy.

Typically, the target of Spear Phishing will be an individual with high-level authority and access such as a Sys Admin, CEO or CFO.

The message in the email may urge the victim to change their passwords to enhance security. However, they are actually being steered toward to bogus websites full of malware or ones which capture their credentials when entered.

Either way, the initial slip-up is all cybercriminals need to gain access to the victim’s networks and begin stealing the data they are after. 

Real-life examples of successful Spear Phishing attacks

• In 2015, Ubiquiti Network’s finance department was targeted. Fraudsters tricked employees into believing that Senior execs were instructing them to transfer $40+ million in funds from a Hong Kong subsidiary to a third party, but the reality the third party accounts all belonged to the fraudsters.

• In 2011, Epsilon suffered a massive data breach. Employees responsible for email were targeted with emails that mentioned them by name, a link then took them to a malicious site where malware was downloaded onto their system. The breach wasn’t discovered for at least four months and led to data on 5 Million of their clients being breached.

How to protect yourself - Tips for individuals

  • Hover over the link before you click on to double check where the URL is taking you.

  • Don’t open suspicious attachments to e-mails especially if the sender is unknown.

Enable your browsers built-in phishing filter to help prevent the emails from being directly delivered to your inbox in the first place.

  • Be wary of e-mails that just don’t have the right tone or sound off out of the blue requests from colleagues or clients or bank requesting PII such as usernames or DOB over e-mail.

How to reduce the risk - Tips for businesses

  • Any IT system or network is only as secure as its users make it. Employees must be trained in Security awareness because they are the first line of defence against spear phishing attacks.

  • Educate employees not to open emails from sources they don’t know

  • Teach employees not to click on links or download attachments

  • Encourage employees to be conscious of how much information is shared online and on social media so they are less likely to fall victim to identity theft.

  • Institute a cycle of continuous awareness training 

  • Choose a CREST Certified penetration testing company to run social engineering testing on your staff to see how they hold up against attacks in the real world

About Conor O'Neill

Conor is our Co-Founder and Head of Product Strategy at OnSecurity. Conor has over a decade of IT security experience, and has held a number of impressive letters after his surname, including M.Sc, CRT, GCIH and CISSP.

Feel free to connect with him on LinkedIn or get in touch with us at OnSecurity to discuss how we can protect your business from Spear Phishing.

More recommended articles

SaaS-based application uses OnSecurity for it’s penetration testing
Code Audits in Business Security - why is it important?
OnSecurity supports ParentPay with its manual pentesting service and comprehensive portal
Protect
Scan
Radar
Pricing
Penetration Test
Overview
External Infrastructure Testing
Physical Penetration Testing
Web Application
Internal Infrastructure Testing
Mobile Application
Phishing Simulation
Cloud Security Testing
Social Engineering
Resources
About
Blog
Contact
We're Hiring

© 2024 ONSECURITY TECHNOLOGY LIMITED (company registered in England and Wales. Registered number: 14184026 Registered office: Runway East, 101 Victoria Street, Bristol, England, BS1 6PU). All rights reserved.

Terms and Conditions
Privacy