Skip to main content
Spear Phishing Attack

Typical phishing attacks generally cast a wide net. They're not well targeted at any particular group. Instead, the potential criminals hope to snag some victims because of their massive scale.

In contrast, cyberthieves will target a spear phishing attack against only one group. They may include enough details about this smaller target to make their original messages appear very plausible. Learn how spear phishing attacks work and the best ways to guard against them.

How a Spear Phishing Attack Works

With typical phishing, criminals hope to send their messages to so many people that they will stumble across enough victims to make their efforts profitable. Today, businesses and government organizations have gained enough experience to guard themselves pretty well against these unsophisticated attempts to steal credentials and other personal information.

In response, savvy criminals learned they can easily gather public information about an organization or even a team within an organization.

As an example, it's fairly easy to find an account manager's name and email address through such social networks as LinkedIn. Press releases may contain details about upcoming business deals, customers, and even urgent issues. Using this information, a savvy digital thief can craft a much more convincing message that might entice more sophisticated computer users to click through a fake link and supply information.

A High-Profile Spear Phishing Example

Spear phishing requires a large investment; however, criminals may hope to enjoy big payoffs.

The Infosec Security Institute published an example of how one spear phishing email drained over $46 million from Ubiquiti Networks Inc. in 2015. The emails impersonated company executives and tricked employees into transferring funds to a Hong Kong company.

More commonly, these messages won't directly result in the loss of funds. Instead, they attempt to gather credentials that the criminals can use to steal information or money. In some cases, the fraudsters simply want to sell the credentials through the black market.

Protection Against Spear Phishing

Any measures used to prevent typical phishing attacks provide a good basic strategy against spear phishing too. As examples:

  • Employees should remain wary of unsolicited emails. That's particularly true for messages that contain links to click or request any sensitive actions, such as transferring money or divulging credentials.
  • Good filtering software may also block these messages before they even reach a recipient. Older filtering apps may only recognize common phishing attempts; however, the latest generation of AI-enabled messaging scans can provide better security.

Sadly, even the best tech measures may not provide enough protection against clever spear phishing attacks. As The Info Security Institute put it, organizations also need to create a "human firewall" by developing and implementing strong security policies and training.

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at (952) 836-2770 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.
Contact Us