Spear Phishing 101

Spear Phishing - 101

Spear phishing isn’t what you do when you’re on vacation in the Bahamas. It’s a targeted attack on your personal information or business information. And most recently, Twitter came under attack from a complex Spearing Phishing attack that allowed cybercriminals to hack into significant public figures’ verified accounts and convinced users worldwide to transfer them nearly $120,000 in bitcoin.

What is Spear Phishing?

Spear phishing is a social engineering attack in which a perpetrator, disguised as a trusted individual, tricks a target into clicking a link in a spoofed email, text message, or instant message. As a result, the goal unwittingly reveals sensitive information, installs malicious programs (malware) on their network, or executes the first stage of an advanced persistent threat (APT), to name a few of the possible consequences.

While similar to phishing and whaling attacks, spear phishing is launched in a unique way, and its targets differ from other social engineering assaults. As a result, the attack deserves special attention when formulating your application security strategy.

Spear Phishing 101

Spear Phishing VS. Phishing

Spear-phishing can easily be confused with phishing because they are both online attacks on users who acquire confidential information. Phishing is a broader term for any attempt to trick victims into sharing sensitive information such as passwords, usernames, and credit card details for malicious reasons. The attackers often disguise themselves as trustworthy entities and make contact with their target via email, social media, phone calls, and even text messages.

Unlike spear-phishing attacks, phishing attacks are not personalized to their victims and are usually sent to masses of people at the same time. The goal of phishing attacks is to send a spoofed email (or other communication) that looks as if it is from an authentic organization to many people, banking on the chances that someone will click on that link and provide their personal information or download malware. Spear-phishing attacks target a specific victim, and messages are modified to specifically address that victim, purportedly coming from an entity that they are familiar with and containing personal information. Spear-phishing requires more thought and time to achieve than phishing. Spear-phishing attackers try to obtain as much personal information about their victims as possible to make the emails they send look legitimate and increase their chance of fooling recipients. Because of these emails’ personal level, it is more challenging to identify spear-phishing attacks than to identify phishing attacks conducted at a wide scale. This is why spear-phishing attacks are becoming more prevalent.

How to Protect Yourself against Spear Phishing attacks?

Traditional security often doesn’t stop these attacks because they are so cleverly customized. As a result, they’re becoming more difficult to detect. One employee mistake can have severe consequences for businesses, governments, and even nonprofit organizations. With stolen data, fraudsters can reveal commercially sensitive information, manipulate stock prices, or commit various espionage acts. Also, spear phishing attacks can deploy malware to hijack computers, organizing them into enormous networks called botnets that can be used for denial of service attacks.

To fight these scams, employees need to be aware of the threats, such as the possibility of bogus emails landing in their inbox. Besides education, technology that focuses on email security is necessary.

  • Two-factor authentication – Two-factor authentication helps secure login to sensitive applications by requiring users to have two things: something they know, such as a password and user name, and something they have, such as a smartphone or cryptographic token. When Two-factor authentication is used, even if a password is compromised using a technique like spear-phishing, it’s of no use to an attacker without the physical device held by the real user.
  • Password management policies – A prudent password management policy should take steps to prevent employees from using corporate access passwords on fake external websites. One example of such a policy is instructing employees always to enter a false password when accessing a link provided by email. A legitimate website won’t accept a false password, but a phishing site will.
  • Educational campaigns – At the organizational level, enterprises can raise awareness and actively train employees, highlighting spear-phishing attacks as essential threats. Training materials can feature real-life examples of spear phishing, with questions designed to test employee knowledge. Employees who are aware of spear phishing are less likely to fall victim to an attack.


As with all cybersecurity issues, the best defense is a good offense. Lazarus Alliance recommends that organizations take a proactive approach to Spear Phishing attacks, beginning with establishing a comprehensive cyber security policy and employee training program.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

    Lazarus Alliance