Spear phishing is a form of phishing attack in which the attacker researches their target and then personalizes their phishing email. Where most phishing attacks involve generic mass emails, spear phishing attacks are more tactical: these hand-crafted emails fit right in with the target’s inbox, increasing the odds the victim will fall for the scam.
How Phishing Works
Phishing attacks are a form of social engineering in which the attacker sends their target a deceptive email, in hopes their prospective victim will send them money or leak sensitive info or account credentials.
Most phishing attacks involve mass emails, such as the generic Nigerian prince example. These all-purpose emails can be copied, pasted, and sent to thousands of people with minimal customization. Here’s a typical example:
I hope this email finds you well. I write to ask for your aid in remitting a sum of $18.4 million. These funds were awarded as part of a government contract, and I want to safely move them out of my country under your supervision.
My name is Adomas Masiulus and I am the Director of Extraction for the Lithuanian Department of Energy. It is in my power to move this money to a safe destination. All I ask from you is that you safeguard these funds. For your service, you would be eligible to transfer 15% of this money to your own personal accounts.
It is necessary that you handle this business with the highest discretion. Should you do so, the profits described above can be arrived at with a minimum of personal risk.
Kindly reach out to me for further information at firstname.lastname@example.org.
I eagerly await your reply.
Mr. Adomas Masiulus
Someone could send this phishing email to a million people, and it would apply equally well to all of them. That’s also what makes this easier to detect: why would a complete stranger trust you with millions of dollars?
How Spear Phishing Works
In a spear phishing attack, the scammer researches their target and then handcrafts a personalized email. By taking a more thoughtful approach, the attacker can create an email that looks just like one you would expect to receive. As a result, spear phishing emails are usually much harder to detect than the typical phishing email.
Because spear phishing attacks rely so heavily on personalization, no one example can give an adequate picture of what these emails look like. You can see a few in our Spear Phishing Examples article.
Because spear phishing attacks are so much more time-intensive than regular phishing attacks, they’re generally used against high-value targets, such as enterprise businesses and political organizations. Spear phishing is one of the most common tactics deployed by persistent threats, such as the Russian hacker outfit that successfully penetrated the DNC in 2016.
Spear Phishing Vs Phishing: Comparison Table
|Spear Phishing Attack||Typical Phishing Attack|
|Personalized email||Generic email|
|Carefully researched||Fire and forget|
|Targeted to one person||Sent en masse|
|Fits in with your inbox||Out of the blue|
|Time intensive||Quick & dirty|
What About Whaling?
Whaling, or whale phishing, refers to an even more specific type of spear phishing that exclusively targets the highest value targets – these scammers are only interested in catching a whale.
A whaling attacker is less likely to take a quick payout once they’ve compromised an account. Instead, they’ll use that account to compromise more accounts, in hopes of snagging a CEO. Once they’ve compromised one account, they can send emails from that address, at which point they’re nigh indistinguishable from the real person.
How to Protect Yourself From Phishing & Spear Phishing Attacks
First off, the best way to protect yourself from all types of phishing attacks is to think carefully before clicking any link in an unsolicited email. You can never trust that an email sender is who they claim to be; through a technique known as email spoofing, hackers can even falsify the “From” line, making an email appear to have been sent from an address of their choosing.
From there, the phishing email will route you to a phony website or fake phone number, where the scammer will then ask you to hand over sensitive information, such as your credit card number or bank login details.
Instead of clicking a link in an email, look up the company’s website independently. If you have questions about the email, you can contact them directly, via the contact info publicly posted on their website.
When it comes to spear phishing emails, you can make it much harder for them to personalize their approach by limiting what you share online. Scammers frequently look up their targets on social media platforms, such as Facebook and LinkedIn. By limiting who can see your account – and what you post in public – you make it that much harder for attackers to research you and prep their attacks.