Definition of the Day: Spear Phishing

Home / Resources / Definition of the Day / Definition of the Day: Spear Phishing

When hackers target small and medium-sized businesses they are increasingly doing so in a more targeted way. Whereas phishing attacks cast a wide net hitting many potential targets, spear phishing gets more to the point.

So, what is spear phishing?

Spear phishing is an email scam that targets a smaller group or organization in a more targeted way. Its sole purpose is obtaining unauthorized access to sensitive data like intellectual property, trade or military secrets, financial data or personal data to use to blackmail.

How spear phishing works

Just like in regular, broader-based and more scattershot phishing, it starts with an email arriving from an apparently trustworthy source. But it’s not. Instead it leads the unknowing recipient to a fake website full of malware. Expect these emails to use clever, often emotionally-laden tactics to get attention and action. For example, many spear phishing attacks might pose as from the National Center for Missing and Exploited Children.

Spear phishing attacks employ very specific, individually-defined approaches and techniques to personalize messages and websites. Often high-ranking targets and top executives get hooked, providing cyber criminals with top-level access to sensitive company information and networks. With stolen data, fraudsters can reveal commercially sensitive information, manipulate stock prices or commit various acts of espionage. In addition, spear phishing attacks can deploy malware to hijack computers, organizing them into enormous networks called botnets that can be used for denial of service attacks.

How to fight spear phishing

Traditional security models are not very effective fighters against spear phishing attacks because they are so personalized and targeted. To fight spear phishing scams, employees need to be aware of the threats, such as the possibility of bogus emails landing in their inbox. Education is the first step. But changing operations — like moving to BankVault-protected methods of executing online financial transactions — is the only 100% way to protect those company accounts. g scams, employees need to be aware of the threats, such as the possibility of bogus emails landing in their inbox.