Spear phishing is an advanced form of phishing in which the attacker personalizes their email based on careful research. Because spear phishing emails match what you’d expect to see in your inbox, they can be much harder to spot than the run-of-the-mill Nigerian prince.
All the more reason to familiarize yourself. In this article, I’ll walk you through six spear phishing email examples, alongside a bit of context on how they work and how you can protect yourself.
One thing to keep in mind when reading – because spear phishing emails are defined by their personalization, it’s impossible to write one perfect example that works for every individual. When reading the below examples, assume that the fictitious scam artist has done their research and drafted their attack email with a specific victim in mind.
Example #1: The College Reunion
For this example, assume the attacker discovered on LinkedIn that their target graduated from the College of William & Mary in 1994.
Hello Delia!
You’re officially invited to celebrate the 25th reunion of the College of William & Mary’s class of 1996.
The reunion will be held the weekend of Friday, June 11th, through Sunday, June 13th. Please click here to RSVP by March 31st.
We hope to see you there.
— Andy Hutchinson, ‘94
Reunion Committee Chair
This one’s pretty straightforward. From a quick LinkedIn search, the scammer identified the right graduating class and sent a well-time email inviting this person to a college reunion. Once the target clicks the link, they are directed to a landing page where they create an account or input personal information which can then be used against them.
Where many phishing emails make emotional appeals based on fear, this one makes a softer push, on nostalgia and friendly feelings. This can be just as effective at getting someone to let their guard down – maybe even more so, if you’re already on guard for fear-based phishing attacks.
So how can you protect yourself? The most important thing is to watch for any links in emails. Don’t just click on them – mouse over them and check where the link is pointing. Better yet, right click on the link, copy the link address, and paste it into your address bar. Look closely before you hit enter: attackers often purchase fake domains that look legit.
Now for a tough question. Is it worth listing your graduating class on LinkedIn? Many cybersecurity experts would recommend scrubbing all such info from your online profiles, so that it can’t be used against you. Some would even say to delete your profile entirely. But your LinkedIn profile can be a legitimately useful tool for making business contacts.
Personally, I would recommend at least setting aside an hour to go over your social media profiles. For each piece of information you put online, ask yourself: is my benefit from publicizing this information worth the risk of exposure?
In some cases, you might decide it’s well worth it to share a particular piece of information online. In others, you might decide a detail maybe isn’t worth sharing far and wide. Only you can decide what’s best for you.
Example #2: The Covid-19 Spear Phish
For this example, assume the sender knows where you were on a particular date.
Dear Mr. Richardson:
I’m with the New York State Department of Health. Based on our contact tracing efforts, we have determined that you may have been exposed to the covid-19 virus on March 11th at the Tandem Grill on Atlantic Avenue in Brooklyn, NY.
Please click here for more information. If you were exposed to the virus, you may be eligible for a free covid-19 test.
Thank you.
Dale Jackson, contact tracer
New York State Department of Health
Would a spear phisher exploit a global pandemic to scam their unsuspecting victims? You bet they would! In this case, they’ve also picked up on some key personal informaiton.
Specifically, the date and location add to this email’s credibility – they’re what make it a spear phishing email, after all. So how did this person come across this info? Most likely, their target or someone they knew posted where they were on Facebook, Instragram, or another social media platform.
I’m not going to tell you to stop posting anything online. That would be the safest approach, for the record, but one that’s a step too far for most web users. What else can you do? I would recommend turning off any location tagging, as well as limiting who can see your posts.
Key term: Open Source Intelligence (OSINT) refers to any information one could gather just by looking at what’s already public knowledge. So a spear phisher who looks through your social media profile is gathering OSINT – it’s right out there on the web, so no need for them to do any serious sleuthing to uncover it.
Example #3: The Relative in Peril
For this example, assume the sender knows their target’s grandson is currently traveling in China.
Hello,
I am writing to inform you that your relation, JONATHAN SMITH, has been arrested by the People’s Armed Police Force (中国人民武装警察部队) for the following offenses:
• Subversion
• Defacing a public monument
• Destruction of property of the People’s Republic of ChinaHe is currently being held at Tilanqiao Prison (提篮桥监狱) in Shanghai. We are prepared to free him on the condition of his removal from the country. To do so, we will need $13,500 dollars to pay for damages and deportation expenses.
Please forward this money via the following web portal: https://bit.ly/2P6Akll
–– Yuan Baoquang 王寶強
If a spear phisher would exploit a global pandemic, why not a grandma’s love? This is another big emotional play premised on both love and fear. The goal is to get the target to act without thinking twice.
If you receive a message like the above, take a moment and call the person in question. If you can’t reach them, call another close relation. Or check their social media accounts – in this case, you can do your own open source intelligence to see if the scammer’s telling the truth.
Example #4: Trouble at School
For this example, assume the scam artist found out on social media that their target’s son recently got in a fight at school.
From: atomlinson@msdwt.k12.in.us
Subject: Neil Murphy behavioral issues
Dear Mr. Murphy:
Following recent behavioral issues, we’ve submitted a case record into our ERIS documentation system. You can click here to log into the portal and review the file.
Once you’ve seen the case file, please book a meeting with me at your earliest convenience so we can discuss next steps. This can also be accomplished through the portal linked above.
Happy to answer any questions.
Thank you,
Amanda Tomlinson
School Counselor, Washington Township K-12
This is another emotional play based on a specific recent event. The reader probably feels some combination of anxiety, anger, and disappointment at reading this email. Or all three, in which case suspicion ranks pretty low on the list of active emotions.
“From” addresses can be easily faked via a process known as email spoofing. That’s why I encourage you to focus on the URL instead. Carefully examine it to make sure it’s the real website. Even a few pixels can make the difference between the real thing and a cloned version, carefully designed to trick you.
If you’re in doubt, you can look the sender up on the school website or directory, or place a call direct to the school.
Example #5: The DNC Hack
Let’s try a famous one – here’s an example from Russian hackers’ efforts to compromise the Democratic National Committee (DNC). What would you do if you received this email?
So what makes this a spear phish? In this case, Russian hackers had been targeting the DNC for months. DNC officials knew it, and raised awareness within their organization. The Russian hackers then cloned a warning email from Gmail, prompting recipients to change their password.
In one case, Clinton campaign chair John Podesta forwarded the email to a campaign staffer, who mistakenly told him to change his password per the email’s instructions. Podesta complied, and immediately handed over his login credentials to Russian hackers. Oops.
After raising red flags, these attackers then imitated those red flags to get past their target’s defenses. They essentially created the conditions through which they could send a relevant message based on their target’s phishing awareness campaign to prevent their attacks. Very smart.
Key term: The Russian hackers in this scenario could be described as an advanced persistent threat, or APT: high level attackers making a concerted attack. These are some of the scariest adversaries in cybersecurity, and they almost exclusively go after high profile targets, including political organizations such as the DNC.
Example #6: The Compromised Account
In this example, the spear phishers have already compromised an email account within an organization, and are now using that address to gain greater access.
Hey Jim, do you remember the password for quickbooks? I’m blanking right now, need to check to see if I paid our freelancers.
Pls send 🥺
— Gale
These attackers will stop at nothing – not even misusing the 🥺 emoji for their vile ends.
In this case, they’ve also phished and commandeered an employee’s email address. They don’t yet have a hand on the company’s pursestrings, but all they have to do is ask.
Once a spear phisher has compromised an email address, there’s not much stopping them from continuing to phish using that email.
So how can you protect your organization? First of all, don’t give away any passwords or sensitive information away over email unless you absolutely must. If someone asks, walk over or call them.
Two factor authentication (2FA) can also be a huge boon two protecting your organization. With two factor authentication, you need more than just a password to log in to an account. Most frequently, 2FA works by texting a temporary login code to your phone number. It makes it that much harder for a remote hacker to get into your accounts.
The Bottom Line
So now you’ve seen six spear phishing email examples to give you an idea of what they look like. Because they’re personalized by their very nature, there’s no one-size-fits-all spear phishing attack – the best way to stay safe is to stay vigilant.