What is spear phishing?
Spear phishing is a special form of classic phishing. While in classic phishing a large number of e-mails are sent more or less randomly to many different recipients, spear phishing messages are targeted specifically at certain individuals or organizations. The English word “spear” means “spear” and makes an analogy to fishing. Whereas classic phishing is fishing with a net, catching fish indiscriminately, spearphishing targets individual fish.
The goal of spearphishing is to get message recipients to click on certain malicious links or open attachments in order to capture data or install malware on their systems. Usually, emails or messages via social networks are used for the attacks, which are enriched with previously scouted personalized information and tailored to specific individuals or organizations.
The attacker has researched this information in advance or obtained it through social engineering, for example. The messages appear more credible due to this information and generate a certain amount of trust in the recipient towards the presumed sender. Compared to normal phishing, spearphishing requires considerably more effort, but this phishing variant has a higher hit rate and a greater chance of success for the attacker.
If executives of companies or chairmen of organizations are the focus of spearphishing, this is often referred to as “whaling”. Once the attacker has captured access codes or confidential data, or installed malware on a system, he uses them to siphon off trade secrets, capture money, obtain military information, block processes, delete data, disrupt applications or penetrate further systems, for example. Often, organizations such as governments, intelligence agencies, criminal associations, or professional cybercriminals are behind spear phishing.
Typical characteristics of a spear phishing attack
Spearphishing has the following typical characteristics:
- Message sent by email or via a social media account
- Is not directed at a broad audience, but at specific individuals or organizations
- Pretending to be from certain known or trusted senders
- Messages containing personal information tailored to specific individuals
- Requests that seem plausible to the recipient to perform an action such as accessing a link or opening an attachment.
Example of a spear phishing attack
For a better understanding of spear phishing, the following is an example of an attack. In the run-up to the attack, the attacker obtains information about the person to be attacked or the company via media and channels such as a company’s website or social media presence, for example about an employee in the HR department and open job advertisements.
He then uses the information found there to compose a job application email that appears meaningful, authentic, and trustworthy. He asks the person contacted to follow a link to further information about the application or to open an attachment such as Bewerbung-Hans-Müller.doc. The visited website or attached file are manipulated in such a way that they steal data or compromise the attacked person’s computer.
The attacker is then able to carry out further manipulations with the captured digital identity of the attacked person or the data, or to penetrate deeper into the corporate network via the attacked computer.
Defensive measures against spear phishing
Defensive measures against spear phishing are:
- Education and training of employees
- General caution when dealing with e-mails
- Checking links and attachments as well as the sender of an e-mail
- Do not click on links or attachments of suspicious e-mails
- If necessary, contact the specified sender of an e-mail or other message by telephone
- Do not disclose sensitive data on social networks or generally avoid social networks
- Use anti-virus and anti-phishing software
- Healthy distrust when dealing with e-mails or messages in social networks
- Do not verify data via links from e-mails or other messages