Spear phishing is a type of targeted cyber-attack, usually encountered over email, typically using urgency and fear to trick the target into giving out personal information, or simply clicking a link or downloading a document that has data stealing malware. If this doesn’t make complete sense, don’t worry – below we have collected some clear examples of spear phishing to help you identify them yourself.
The most well-known kind of spear phishing attacks usually look something like this; the attacker impersonates a large, powerful organization – often one related to finances in some way – and urges immediate action by threatening to end your account, take money that you haven’t spent, etc. These scams are so effective because it is surprisingly easy to make an email look legitimate with the right logo and colour scheme, and the urgency involved distracts the victim anyway, making them lower their guard. The example here displays what looks identical to a real Netflix email, informing the target that their membership has been cancelled, and giving them an easy web-link pathway to restart their account to continue using their services. Most likely, this link would take the target to a fake Netflix web page, asking them to input sensitive data in order to get their membership back.
Spear phishing emails are all targeted at certain people, with varying degrees of research behind the attacks. For example, an attacker may have access to a list of Apple users who they can send a generic Apple Invoice email to – it may not have all the right information, such as account numbers or even full names, but it would be an email they the target is familiar with seeing in their inbox, making them less suspicious straight away. However, these attacks can become very personal, as the example above shows. This image is of a CEO Fraud attack – a spear phishing attack that involves impersonating a CEO of a company to request money transfers from other employees – and as you can see the attacker at least knows the victim’s name, their CEO’s name, their email addresses, and possibly more. The more information a cyber-criminal can gather on you, the more believable their emails can be.
Spear phishing attacks will sometimes use malicious attachments to gather the target’s personal information – for example, keylogging malware – rather than relying on the person willingly handing it over to a fake persona or website. Malicious attachments can sometimes be more effective bait than simply including a link as web links are known for being used by cyber-criminals, whereas harmful attachments haven’t been as popular for years, making them less of a red-flag.
In the example above the attacker is ironically imitating a cyber-security company, with an attached PDF disguised as a guide on ‘Next Generation Threats’.