Spear Phishing Definition

Spear phishing, like phishing in general, are scams that attempt to trick the recipient into providing confidential information, like account credentials, to the attacker. Links or attachments can also get the recipient to unknowingly download malware to give the attacker access to the user’s computer system and other sensitive information. Where spear phishing differs from the more generic phishing is its targeted nature.

Spear phishing attacks are messages typically personalized based on public information the attacker has found on the recipient. This can include topics surrounding the recipient’s expertise, role in the organization, interests, public and residential tax information, and any information attackers can glean from social networks. These specific details make the email appear more legitimate and increases the chances of the recipient clicking links or downloading attachments.

How Spear Phishing Works

Spear phishing is a more targeted cyber-attack than phishing. Emails are personalized to the intended victim. For example, the attacker may identify with a cause, impersonate someone the recipient knows, or use other social engineering techniques to gain the victim’s trust.

In 2019, a North Korea-linked group of cyber-attackers called Thalium reportedly used over 50 web domains in spear phishing attacks. Thalium’s targets included government employees, think tanks, university staffers, members of organizations focused on world peace and human rights, and people who work on nuclear proliferation issues. Most targets were based in Japan, South Korea, and the U.S.[1] Thalium attackers endeared themselves to the target by supporting efforts to stop the spread of nuclear weapons.

An example of a spear phishing attack can be something simple like “Wade, based on your love of the early reds this year, I’d suggest a visit to Domaine Maleficent [spoofed or compromised website], which Bob also loved. Check out their e-store.” This spear phishing example can be highly effective if Wade’s public information indicates he's a wine enthusiast, a friend of Bob who also loves wine, and the email originates from a Facebook connection through a spoofed email.

Notice in the above example that the attacker customizes the email to the interests and personality of the targeted victim. This customization is what differentiates spear phishing from standard phishing. This differentiation is what makes spear phishing more time consuming for the attacker, but it’s also highly effective in how it works.

Spear Phishing versus Phishing

Spear phishing and standard phishing share similarities but also have some distinct differences. Both effectively trick targeted users into divulging sensitive information, but spear phishing requires much more effort from the attacker. Spear phishing requires reconnaissance and an understanding of the targeted user so that emails contain just enough information to make them seem like they are from a legitimate sender.

First, let’s discuss standard phishing to identify the differences. Generally, phishing campaigns have no specific target. For example, the attacker might create an email message that uses the PayPal logo and content that sounds like a legitimate PayPal representative. The email usually won’t contain the user’s name, and the attacker doesn’t even know if the recipient has a PayPal account. The message might simply ask the targeted user to reply or click a link to a malicious website.

An attacker might send thousands of phishing emails to an email contact list. In some attacks, the domain name used to send malicious messages looks similar to the official one. For example, an attacker might register the domain “payypal.com” and use it to make the sender look official. Another phishing strategy uses email spoofing. Spoofing uses open email servers to manipulate the sender domain to “paypal.com” even though the message is not actually from a legitimate PayPal employee. DMARC (Domain-based Message Authentication, Reporting, & Conformance) is a newer cybersecurity strategy for email that detects spoofed email messages and blocks them, so spoofing is not the threat it used to be, provided the recipient email server uses DMARC.

With a message set up and a list of recipients, attackers can now send their malicious messages. Attackers know that some messages won’t go through. Cybersecurity filters will block others on the recipient’s email server, and some messages will be automatically deleted when targeted users realize the message is phishing. However, there will be a group of users who'll receive the phishing email and send the attacker sensitive information. Specific targets aren’t necessary for an email blast targeting thousands of users because attackers know that dozens of recipients will become victims.

While standard phishing is effective for smaller payouts, spear phishing takes a more targeted approach for bigger gains. They normally target high-privileged users within an organization, such as accountants, human resources employees, and C-level executives. These attacks require much more research into the target organization to understand what messages will work. Spear phishing can also be used in combination with social engineering to be more effective.

Spear phishing uses much more compelling messages than standard attacks. For example, attackers who claim to be the CEO could trick finance executives into sending money to their bank account. Fake invoices could be used to trick accounts payable employees into sending money to the attacker. To steal credentials, an attacker might create messages that seem like IT is asking for information. To mislead users, the messages must sound like they're from a legitimate person the recipient knows, which is why social engineering might also be used.

Because spear phishing is much more targeted, fewer users receive messages. An attacker researches the organization and creates messages for the few high-privileged users who have been selected as targets. The users chosen are usually from organizational charts on the organization’s website or using LinkedIn for reconnaissance.

Attackers using a spear-phishing strategy could trick the organization into sending millions of dollars to an offshore bank account or critical network credentials. Money transfers to an attacker-controlled bank account is devastating, but stolen network credentials could be even more damaging. Two-factor authentication and intrusion detection systems help stop further damage after a successful phishing attack, but a threat actor usually employs other methods to steal data. Malware injections on the network or data exfiltration using the stolen credentials are other options.

With stolen credentials, an attacker could maintain a presence on the victim’s network for months before detection. During that time, an attacker could exfiltrate terabytes of data without detection. Once detected, the organization must contain the threat and determine the vulnerability responsible for the compromise.

Spear Phishing and Whaling

A spear-phishing attack targets specific people, but the term “whaling” refers to when an attacker targets one or several C-level executives. The term refers to an executive’s high-privilege account permissions on the network and access to financial accounts. Executives are much more likely to fall victim to a spear phishing attack, so it’s a lucrative venture for a threat actor who conducts thorough reconnaissance.

Small and large businesses can be targets for threat actors and spear phishing. Whaling strategies also involve social engineering in large attacks. For example, the attacker might work with a partner who contacts the executive to make the threat more compelling to the targeted user. Home Depot, Anthem, Target, and JP Morgan have all been targets for whaling and spear phishing. Epsilon lost $4 billion to a spear-phishing attack targeting email providers. The damage was so severe that the cost to recover from damage and lawsuits made it one of the biggest cyber-attack payouts to date.

Examples of Spear Phishing

Providing examples of spear-phishing attacks will help you train users and identify them when your organization is the target. Don’t assume that your organization could not be a target because it’s too small. Attackers know that small businesses have fewer cybersecurity resources than large ones, so small businesses are also a target. Any size business could be the target of whaling and spear phishing.

Threat actors often use names of well-known businesses to increase the probability of success and give targeted users a sense of trust. PayPal, Amazon, Google, and Microsoft are four large household brands used in spear phishing. These brands give users a sense of trust and have millions of customers that could be tricked into clicking links in an email.

Another example of phishing uses Google and Microsoft to trick users into sending money to an attacker's bank account. The email claims that the user won money from either Google or Microsoft, and to receive funds, the targeted user must send a small fee for mailing costs. Although Gmail is good at filtering these messages, users find them in the spam inbox and respond to them. These messages should never reach the intended recipient in a business environment and should be quarantined instead of reaching a spam inbox.

Examples of spear phishing strategies:

  • The email sender claims to be a customer and complains about a recent purchase. The attacker links the user to a website that looks like the official page where a targeted employee is prompted to authenticate.
  • A text message or email notifies you that your bank account was compromised and links you to a page prompting you for authentication.
  • The email sender claims to be from a legitimate vendor stating that the account is about to expire, and the recipient must click a link and authenticate.
  • Requests to donate or send money to a specific group usually indicate that you’re a target of spear phishing.
  • Always validate invoices before paying them. Attackers use actual vendors with fake vendors to trick organizations.

Spear Phishing Statistics

Since 2020, reports of phishing and spear phishing have greatly increased. Verizon’s 2021 Data Breach investigations Report (DBIR) indicates that 74% of organizations in the United States experienced a successful phishing attack. 96% of these attacks were delivered via email, which makes email the most common vector for spear phishing.

Spear phishing is much more targeted, so active groups of attackers rely on it for credential theft, ransomware, and other forms of financial gain. These groups used spear phishing 65% of the time. Other reports suggest that spear phishing is fast becoming more popular than standard phishing. Reports from Proofpoint indicate that 64% of security professionals and 88% of organizations have experienced a sophisticated spear phishing attack. Many of these attacks were targeted for account compromise, malware (e.g., ransomware), and data theft.

How Can I Protect Against Spear Phishing?

Look for email protection solutions that use analytics to detect suspicious emails. Dynamic malware analysis can analyze destination websites for malicious behavior and simulate a real user system to counter evasive techniques built into malware, driving the malware to reveal itself in a sandboxed environment. Sandboxing at the time of delivery of a suspicious email and when users click on a URL is likely to result in greater detection of these highly targeted threats.

Security awareness training plays an equally critical role in defending against spear phishing. Most security decision-makers surveyed by Osterman Research advocate some mix of security awareness training and technology-based solutions, although support varies based on the specific type of threat. In spear phishing, 37% of those surveyed said that the solution is primarily about training but that improved technology can help, while 44% said training and process are equally important.[2]

Whatever the mix, what’s really important is adopting a people-centered security posture. Attackers do not view the world in terms of a network diagram. Deploy a solution that gives you visibility into who’s being attacked, how they’re being attacked, and whether they clicked. Consider the individual risk each user represents, including how they’re targeted, what data they have access to, and whether they tend to fall prey to attacks.

Train users to spot and report malicious email. Regular training and simulated phishing attacks can stop many attacks and help identify especially vulnerable people. The best simulations mimic real-world attack techniques. Look for solutions that tie into current trends and the latest threat intelligence.

At the same time, assume that users will eventually click some threats. Attackers will always find new ways to exploit human nature. So, find a solution that spots and blocks inbound email threats targeting employees before they reach the inbox. And stop outside threats that use your domain to target customers and partners in spear-phishing attacks.

A few other ways that you can protect from spear phishing:

  • For administrators, set up DMARC rules on the email server to stop phishing messages from reaching intended recipients.
  • Any message asking for financial transactions should be verified even if the sender looks like a legitimate employee or vendor.
  • Don’t click links in an email message. Instead, type the domain into a browser and authenticate from the official website.
  • Be wary of any message that says a response and financial transaction is urgent to keep an account active.
  • Train employees to identify the signs of a phishing attack and notify administrators when any suspicious message is received.
  • Even after a phone call, ensure that a message is from the legitimate sender. Social engineering is often used in whaling and spear phishing.
  • Train users to never provide credentials on phone calls. Network administrators should never ask for passwords from any employee within the organization.
  1. Tom Burt, Microsoft. “Microsoft takes court action against fourth nation-state cybercrime group.” December 2019.
  2. “New Methods for Solving Phishing, Business Email Compromise, Account Takeovers and Other Security Threats.” Osterman Research White Paper. August 2019.