Spear Phishing Attacks

More Resources


Spear phishing, like phishing in general, are scams that attempt to trick the recipient into providing confidential information, like account credentials, to the attacker. Links or attachments can also be used to get the recipient to unknowingly download malware that can give the attacker access to the user’s computer system and other sensitive information. Where spear phishing differs from the more generic phishing is its targeted nature.

Spear phishing attacks are messages typically personalized based on public information the attacker has found on the recipient. This can include from topics surrounding the recipient’s area of expertise, role in the organization, interests, public residential and tax information, and any information attackers can glean from social networks. These specific details make the email appear more legitimate and more likely for the recipient to click any links or download attachments. 

An example of a spear phishing attack can be something simple like “Wade, based on your love of the early reds this year, I’d suggest a visit to Domaine Maleficent [spoofed or compromised website], which Bob also loved. Check out their e-store.” This spear phishing example can be highly effective if Wade’s public information indicates he is a wine enthusiast, a friend of Bob who also loves wine, and the email is coming from a Facebook connection through a spoofed email.

In 2019, a North Korea-linked group of cyber attackers called Thalium reportedly used more 50 web domains in spear phishing attacks. Thalium’s targets included government employees, think tanks, university staffers, members of organizations focused on world peace and human rights, and people who work on nuclear proliferation issues. Most targets were based in Japan, South Korea and the U.S. [1]

Spear phishing is a more targeted cyber attack than phishing. Emails are personalized to the intended victim. The attacker may identify with a cause, impersonate someone the recipient knows, or use other social engineering techniques to gain the victim’s trust. In the Thalium attackers endeared themselves to the target by supporting efforts to stop the spread of nuclear weapons.

How can I protect against spear phishing?

Look for email protection solutions that use anomalytics to detect suspicious emails. Dynamic malware analysis that can analyze the destination websites for malicious behavior and simulate a real user system such that evasive techniques built into malware can be countered, driving the malware to reveal itself in a sandboxed environment. Sandboxing at the time of delivery of a suspicious email and when users click on a URL is likely to result in greater detection of these highly targeted threats.

Security awareness training plays an equally critical role. Most security decision makers surveyed by Osterman Research advocate some mix of security awareness training and technology-based solutions, although support varies based on the specific type of threat. In the case of spear phishing, 37% of those surveyed said that the solution is primarily about training, but that improved technology can help, while 44% said training and process are equally important. [2]

Whatever the mix, what’s really important is adopting a people-centered security posture. Attackers do not view the world in terms of a network diagram. Deploy a solution that gives you visibility into who’s being attacked, how they’re being attacked, and whether they clicked. Consider the individual risk each user represents, including how they’re targeted, what data they have access to, and whether they tend to fall prey to attacks.

Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable. The best simulations mimic real-world attack techniques. Look for solutions that tie into current trends and the latest threat intelligence.

At the same time, assume that users will eventually click some threats. Attackers will always find new ways to exploit human nature. Find a solution that spots and blocks inbound email threats targeting employees before they reach the inbox. And stop outside threats that use your domain to target customers and partners in spear-phishing attacks.

[1] Tom Burt, Microsoft. “Microsoft takes court action against fourth nation-state cybercrime group.” December 2019.

[2] “New Methods for Solving Phishing, Business Email Compromise, Account Takeovers and Other Security Threats.” Osterman Research White Paper. August 2019.