Spear phishing is an email-spoofing attack that targets a specific organization or individual by posing as someone they know and trust to gain access to confidential information.
Frequently asked questions
What is spear phishing vs phishing?
Phishing attacks send fraudulent emails to many users at once. These emails often contain generic messages prompting users to “click here!” or follow malicious links designed to capture personal data.
Spear phishing attacks, meanwhile, are targeted toward specific users using information gleaned from publicly available data on business websites or social media profiles. These messages often seem legitimate and are designed to produce an immediate response. One common example of a spear phishing attack is an email supposedly from a C-Suite executive that directs staff to wire money to a specific bank account ASAP.
What are the 3 types of spear-phishing emails?
Three common types of spear-phishing emails include:
- Fake C-Suite emails: These emails appear to come from internal C-Suite executives and ask staff to take a specific action as soon as possible. Email addresses used may seem legitimate at first glance but often include small spelling mistakes.
- Spoofed website emails: These may look like emails from legitimate financial institutions or business partners — right down to the branding, colors, and tone of voice — but actually include links to fake sites that have slightly different URLs from their official counterparts.
- Immediate action emails: These often include notices about accounts being locked or compromised along with instructions asking users to click on email links and “verify” their usernames and passwords, which are then stolen by malicious actors.
What protects from spear phishing?
To protect your business from spear phishing, start with education. Make sure your team is trained to recognize the hallmarks of common spear-phishing attacks and encourage them to report these emails to IT.
Next, deploy security tools capable of automatically detecting emails from unknown sources or those that contain potentially malicious content. Finally, deploy 2FA and MFA solutions that limit attackers’ ability to compromise systems even if they obtain usernames and passwords.