Phishing includes anyone sending fraudulent emails over the internet. The goal of phishing attacks is almost always to snatch money, passwords, or personal information from the unsuspecting victim.
Spear phishing is a specific type of phishing, in which the scammer writes a highly personalized email with a specific victim in mind. To accomplish this, they diligently research their target before crafting the email. Because this is so time-intensive, spear phishers tend to go after high value targets, such as companies.
How Phishing Works
The typical phishing email is generic, designed to send to as many people as possible. They might customize the name, or they might even just open with “Hello friend” or another greeting that could apply to anyone. From there, they’ll write an email that would apply equally well (or equally poorly, in most cases) to any reader.
The classic phishing example is the Nigerian Prince, aka the “Nigerian 419” scammer, named after the Nigerian criminal code. This kind of advance fee fraud takes on different forms – you might get a message from a bureaucrat, businessperson, or government contractor – but they share a common theme. The author promises vast sums of money if only you pay a nominal fee or give them access to your bank account. Here’s an example:
I hope this email finds you well. I write to ask for your aid in remitting a sum of $18.4 million. These funds were awarded as part of a government contract, and I want to safely move them out of my country under your supervision.
My name is Adomas Masiulus and I am the Director of Extraction for the Lithuanian Department of Energy. It is in my power to move this money to a safe destination. All I ask from you is that you safeguard these funds. For your service, you would be eligible to transfer 15% of this money to your own personal accounts.
It is necessary that you handle this business with the highest discretion. Should you do so, the profits described above can be arrived at with a minimum of personal risk.
Kindly reach out to me for further information at email@example.com.
I eagerly await your reply.
Mr. Adomas Masiulis
Someone could send this phishing email to a million people, and it would apply equally well to all of them. That’s also what makes this easier to detect: why would a complete stranger trust you with millions of dollars?
How Spear Phishing Works
The spearphisher takes a very different approach. Instead of writing an email that could apply to anyone, the spear phisher starts by choosing a particular target. Because spearphishing is so time intensive, they tend to go after high value targets – think CEOs and CFOs, the kind of people that might have access to a company’s coffers or customer data.
Once they have their target, the spear phisher studiously researches their victim to find an angle of attack. These days, it’s not hard for them to get everything they need from social media. Think of how much personal information someone could find just by looking on Facebook and Google. This kind of research based on publicly available information is sometimes referred to as Open Source Intelligence (OSINT), and it includes anything people post publicly online.
Once they know enough about their victim, the spearphish finally sits down to write the email. Because they did the research, they can now personalize their message to match their target. The goal is to send an email that matches exactly what you would expect to see in your inbox anyway. That could be a perfectly timed invite to your college reunion, a message in line with your department’s big campaign, or it could just be a seemingly routine bank notice. You’d be less likely to dismiss each of these emails than you would an Estonian bureaucrat promising you millions of dollars.
Two Common Techniques Shared by Phish and Spear Phish
Now let’s talk about two techniques that both spear phish and other phish use to get past your defenses. Namely, exploiting emotions and spoofing emails.
It’s very common for phish of all stripes to exploit your emotions as a means to lower your defenses. Most frequently, they like to exploit fear and urgency to get you to act before thinking twice.
A generic phishing email might exploit fear by pretending to be the IRS. Any taxpaying American could in theory be audited, making this an appeal to fear they can send far and wide. If the fear of the IRS really shivers your bones, you might end up disclosing sensitive information before giving it a second thought.
A spear phish exploiting fear would still start with their research. Supposing they found out your son was traveling in a foreign country, for instance, they might email you posing as local authorities, claiming your son has been jailed for violating local law. Probably scarier coming from North Korea than, say, Canada, but there’s plenty of room in between.
Phish of all stripes also employ the tricks of impersonation, such as email spoofing: making it appear as though an email came from someone trustworthy. You might think you can trust the “from” line in an email, but you’d be mistaken. It’s surprisingly easy to send someone an email from any address you want.
Many spear phishers combine all three of the above techniques, sending a personalized emotional appeal with a spoofed “from” address. It’s a potent combination, and a reminder to always take care. Any email can be faked, even one that appears to be from someone you trust.
What About Whaling?
Whaling refers to an even more specific type of spear phishing that exclusively targets the highest value targets – these scammers are only interested in catching a whale.
A whaling attacker is less likely to take a quick payout once they’ve compromised an account. Instead, they’ll use that account to compromise more accounts, in hopes of snagging a CEO. Once they’ve compromised one account, they can send emails from that address, at which point they’re nigh indistinguishable from the real person.
Spear Phishing vs Phishing: A Review
Let’s review the differences between routine phishing and spear phishing:
|Spear Phishing Attack||Typical Phishing Attack|
|Carefully researched||Fire and forget|
|Targeted to one person||Sent en masse|
|Fits expectations||Out of the blue|
|Time intensive||Quick & dirty|
Remember that phishing attacks come in all varieties, and spear phishing is just one type of phishing. The above adjectives for the “typical phishing attack” describe your run-of-the-mill phish, but many phish used more advanced tactics – spear phishing is just one of them.
To reiterate our definition: spear phishing is a type of phishing where the scam artist carefully researches their victim and crafts a personalized email that matches their victim’s expectations. It’s a potent form of phishing, and can be much harder to detect than your run-of-the-mill phishing email. All the more reason to stay vigilant.