You plop down in your cubicle after a long weekend and see that you have a new email.
It’s from your boss, though it’s not his work email. A little strange, but maybe he was using his personal computer when he sent it — oh, well.
He mentions how impressed he is with your work on the new project and asks you to review an attachment before your next meeting. There’s a PDF attached, so you download it and look it over.
The next day, you see your boss in the office and let him know that you read the PDF. He looks at you confusedly, like you’re from Mars.
Weird, but maybe he just hasn’t had his coffee yet. You’re doing your job, and that’s what matters.
A couple of days later, a memo goes out: there’s been a data breach. Employee credentials, confidential client information, financial documents, the works — all of it’s up on the dark web.
And when you’re called into an urgent meeting with your boss and the IT guys, your stomach sinks. You have a feeling you know who caused the data breach: you.
That fishy email you got was more than just fishy — it was phishy. Spear-phishy, to be exact.
A sophisticated attacker gathered information about you and used it to convincingly impersonate your boss.
When you downloaded that attachment, it secretly installed malware on your computer, which in turn stole your company’s data.
And thus, you became a victim of spear phishing. You’re not alone, either: 95% of successful cyberattacks on businesses involve spear phishing.
So just what is spear phishing, and how is it so effective? And most importantly, how can you protect yourself from it?
We’ve got the ultimate guide to spear-phishing right here — let’s dive in.
What Is Spear-Phishing?
Spear phishing refers to a specialized cyberattack targeted at a particular individual or organization.
The attacker attempts to obtain data like passwords, credit card numbers or files from the target. This is done using digital communications channels like email, IMs and social media.
A spear phisher will pretend to be someone trustworthy, such as a bank, coworker, client or associated company. They’ll gather information about you and include it to boost their believability.
If they’re convincing enough, you’ll send them the information they want. Or you may open a link or attachment containing malicious code, thus giving them secret access to your data.
Either way, the basic structure of a spear-phishing attack is the same. You’re targeted, sweet-talked and tricked into giving an impostor your personal or corporate data.
Data Statistics Regarding Phishing
- 0.4% of all phishing attacks involve spear-phishing
- Over 90% of targeted attacks involve spear phishing
- 95% of successful enterprise attacks involve spear-phishing
- Per a survey by Vanson Bourne, enterprises reported a financial cost of $1.6 million per spear-phishing cyber-attack
- 94% of spear-phishing attacks rely on common email attachments
- 64% of infosec professionals were targeted by spear-phishing in 2018
- 93% of organizations cite phishing as a top threat
Spear Phishing Examples
We discussed an example of spear phishing at the beginning of the article.
But that’s far from the only form a spear-phishing attack can take.
You might receive a Facebook message from someone whose name and profile picture you recognize. They may chat with you a bit about your shared alma mater, recalling names of your former classmates and commiserating over old teachers.
Then they’ll send you a link to a file on Google Drive, claiming it’s a video from your school days. You open it, and it doesn’t play, so you tell your “friend” — and never hear back.
That file actually installed a piece of malware on your computer.
It scanned your hard drive for passwords, encryption keys, and other sensitive information, then forwarded it to your “friend.”
Needless to say, that wasn’t actually the person you knew. It was a scammer cleverly impersonating your actual friend with stolen profile photos and publicly-available info.
Some spear phishing scams are more direct, playing on your fears and insecurities rather than camaraderie.
You may get an email from your supervisor, written with his particular typing quirks and habits. It might mention a real client you’re working with, who is very upset that you still haven’t wired those funds over.
The message implies that you’re facing disciplinary action for not doing your job and instructs you to wire money to an account immediately.
It’s believable and terrifying, so you do what it says before it occurs to you to speak with your supervisor directly.
And just like that, you’ve sent corporate funds to a spear phisher.
Spear Phishing vs. Phishing vs. Whaling
So how does spear phishing differ from other types of attacks, like phishing and whaling?
We usually associate phishing with Nigerian prince scams and fake Microsoft emails. But those attacks use the “spray and pray” approach: reach as many people as possible and hope that a couple of them fall for it.
You won’t see that Nigerian prince mentioning your full name, phone number, address or other personal information. Those emails are totally generic and sent to thousands of people at a time.
The scammer doesn’t waste time trying to convince you of anything. Rather, they’re banking on only the most gullible or uninformed recipients responding to the message.
If we think of regular phishing as casting a big net and catching a few unlucky victims, the term “spear-phishing” makes more sense.
A spear phisher selects a specific target, observes it for a while and strikes with precision when the moment is right. The attack is tailored specifically to a single entity.
Regular phishing attacks can target anyone, often ensnaring individuals. But they tend to be less effective against companies and others with strong security measures in place.
Conversely, most spear phishing attacks target businesses, governments, and other organizations. These tend to have more resources than individuals, making for more lucrative attacks.
So spear phishing is a subtype of phishing that involves specific targets and individualized attacks.
But there’s a subtype of spear phishing that’s even more specialized: whaling.
Whaling refers to spear-phishing an organization’s most high-ranking or important officials. Capturing one of these big players can net the attacker a fortune’s worth of money or data.
These potential rewards are incredibly enticing to spear phishers. Attacking lower-level employees may seem easier, but the payoff simply isn’t as high.
A company’s CFO or CEO may be much more difficult to reach — and even more difficult to fool. They’ve often got extra layers of security and tend to be more vigilant about avoiding scams.
But ironically, this could make them too confident and, thus, even more, susceptible to attacks. In one experiment, 75% of CEOs fell for at least one whaling attack.
Whalers tend to be highly skilled at both hacking and social engineering. They’re confident enough in their abilities to take the risk and attempt to harpoon a whale.
How Does Spear Phishing Work?
We’d all like to think that we’d never fall for a scam of any kind, including spear phishing.
But the fact is that spear phishers are incredibly adept at what they do. Their techniques are sophisticated, clever and could fool just about anyone under the right circumstances.
To truly understand spear phishing, we’ll have to get into the mind of a spear phisher. Sure, there are more pleasant places to be, but it’s critical to grasp just how spear phishing works.
Step One: Picking a Target
All spear-phishing attacks start with selecting a target. The process for doing so depends on who, exactly, is performing the attack.
Many spear phishers work on behalf of governments or other organizations, such as rival corporations. The goal in these cases is usually to gather intelligence or confidential data, not money.
So these spear phishers will target people who possess the information they desire. If the goal is to obtain a company’s client list, for example, the attacker may look at the company’s leadership page and single out accounts executives.
Independent spear phishers are more likely to pursue money.
Sometimes, they do so by stealing data from their targets and selling it to rival businesses. Other times, they simply take money directly from their victims.
These attacks are more likely to begin with a more random element.
An attacker may browse a preexisting data breach, look into several potential targets and select the ones that seem most likely to fall for the scam. Users with terrible passwords, for instance, probably aren’t very vigilant about their security.
Step Two: Reconnaissance
Once a target is selected, the spear phisher needs to do some research.
Chances are, their victim isn’t going to fall for a generic “click this link” or “send money here” email. They’ll need to be lulled into a false sense of security first.
Including personal information in spear-phishing messages makes the spear phisher more likely to succeed. The victim will automatically trust the attacker more if it appears that they already know each other.
So the attacker will begin digging through the internet for information about the target.
Social media profiles can reveal background, family, friends, interests, life events and location details. All of these can be used to make conversation, enhance believability and even subtly extort the victim.
Obviously, public profiles are best. But even if the target’s profile is private, friends’ public profiles can still reveal a lot about the target.
Company websites are also fantastic sources of valuable information. Staff pages let the attacker construct an employee hierarchy to more persuasively impersonate coworkers or supervisors.
And if those pages have emails listed for each employee, even better. The attacker now knows which email addresses to spoof when communicating with the target.
Attackers also look for companies with IT job openings. Such job listings typically contain a lot of information about the company’s security and network infrastructures.
For instance, a job posting may require experience with a particular antivirus program or hardware model. That tells the attacker to structure their attack around those things, perhaps exploiting vulnerabilities unique to them.
LinkedIn is also a fantastic source of corporate information. If enough employees have profiles, the attacker can use it to put together a near-complete picture of the company.
All of this information helps the spear phisher structure their attack. Every target is different, so this step is crucial to designing a successful phish.
Step 3: Readying the Spear
Once the spear phisher is satisfied with the information they’ve collected, it’s time to carry out the attack.
If the goal is to steal information with malware, the target will need to be tricked into installing it.
This is generally done with an email or IM attachment, or via a cloud sharing site like Dropbox or Google Drive. The file is typically a PDF, spreadsheet or document.
These common file types can be exploited to contain malicious code, though they look like regular files. Many people simply don’t suspect that a normal-looking DOC file could be hiding malware.
So the spear phisher impersonates a friend, coworker, client or other trusted person. This often involves spoofing an email address or profile belonging to the real trusted person.
Spoofed emails may use the old character-replacement trick (“tom65” becomes “tonn65”). But many attackers set up their own fake email servers to make the message look like it came from the impersonated’s real email.
The message may include some of the personal information gathered in step 2: “By the way, how’s David? He’s turning 10 soon, right?”
And it’ll include an attachment or a download link for a file that seems relevant to the conversation. It could be a business document, forms, reports — anything the target is likely to click on.
Often, the file actually contains what it claims to (or at least looks like it does). But once the file is opened, the malicious code begins to run, installing malware that will steal the desired data.
If the attack doesn’t involve malware, the spear phisher will attempt to elicit information directly from the target.
This may involve longer conversations to lower reservations and establish trust.
Or it may involve creating a sense of urgency so the target acts before thinking it through.
The spear phisher may pretend to be a friend or family member in trouble. They’ll beg the target to send them money to get out of an emergency situation.
Or the attacker may impersonate a supervisor or company executive and angrily demand documents or information.
How Well Does Spear Phishing Work?
There’s a lot of work that goes into carrying out a spear-phishing attack. Is it really worth all the effort?
The answer is a resounding yes.
Spear phishing makes up just 0.4% of all cyberattacks.
In the business world, spear phishing is the predominant method of attack. As we discussed earlier, 95% of successful enterprise attacks incorporate spear phishing.
A surprising number of these are whaling attacks: 27% of spear-phishing attacks target CEOs and 17% target CFOs.
And according to cybersecurity company Symantec, 65% of hacking groups rely primarily on spear-phishing (PDF link).
Spear phishing is incredibly costly to deal with: on average, spear-phishing victims lose $1.6 million per incident. This includes legal fees, lost revenue and administrative costs as well as money taken by the attackers themselves.
Why Is Spear Phishing So Effective?
Spear phishing plays off of people’s emotions, primarily trust, fear and compassion.
When someone holds a position of authority over you, you’re more likely to do what they say without questioning it.
That’s because you trust them to know what to do — and fear repercussions if you don’t cooperate.
So when you receive an email from your boss telling you to read a document ASAP, you’re likely to do it without too much hesitation. You don’t want to get in trouble for not following instructions or questioning authority.
And if your supervisor emails you with an impatient tone and demands an important document, you’ll probably just send it. You probably won’t even notice that the “m” in his email address has been replaced with “nn.”
The same goes for more personal spear phishing attacks.
You may fear that your friend will get mad at you if you don’t send them money or give them your Facebook password. But you also trust and care about your friend and want to help out — that’s what friends are for.
Or maybe you receive an email from your bank telling you that you need to verify your address immediately. It contains your real address, but you need to log in to verify it.
You trust your bank with your money, and you fear not being able to access it. So you click the link and give the spear phisher your banking credentials.
With a little time and research, a spear phisher can figure out just how to invoke your strongest emotions. And once they’re in play, they can be used to give the spear phisher exactly what’s wanted.
This emotional manipulation is part of a skill known as social engineering. It could be argued that spear phishers aren’t so much as hackers as social engineering experts.
After all, hardly any equipment is needed to carry out a spear-phishing attack.
A computer, the internet, an email server, and possibly some malware are usually all that’s required. The latter may not require much technical experience, either — it’s easily purchased from the dark web.
What Are Some Successful Spear Phishes?
Many recent high-profile data breaches and corporate hacks are the results of spear phishing. Here are a few notable cases and the lasting impacts the attacks have had.
Alcoa, Westinghouse, and Others
Alcoa, United States Steel, Westinghouse, and several other American companies were hit with a spear-phishing attack from a most curious source: the People’s Liberation Army of China.
Beginning in 2008, China used spear-phishing to steal trade secrets, emails, nuclear facility plans, network credentials and even server access from these companies.
Employees would receive emails from colleagues or company directors containing attachments and links. The attachments often purported to be meeting agendas and other innocuous documents.
But once the links were clicked, China’s malware would begin to steal massive amounts of data.
All in all, China stole over 1.4GB of data (or 700,000 pages of emails and attachments) from Westinghouse between 2010 and 2012. From Alcoa, they took almost 4,000 emails and attachments, many of which discussed acquiring Chinese businesses.
China also spear phished the network credentials for almost every employee of Allegheny Technologies, a defense firm.
Email provider Epsilon became the victim of spear-phishing in 2011.
Attackers hid malware in online greeting cards and targeted Epsilon employees with access to the company’s email database. The malware disabled the employees’ antivirus programs, installed keyloggers and enabled remote access.
From there, the attackers were able to steal emails from around 75 different companies that used Epsilon for their emails. This amounted to hundreds of thousands of email addresses.
Conservative estimates put the cost of this spear-phishing attack at $637.5 million.
And worst-case estimates place the cost at $4 billion, which would make it one of the most expensive spear-phishing attacks in history.
City of Ocala, Florida
In September 2019, the city of Ocala, Florida, received an email from a contractor it was working with. The contracting firm requested that its banking info be changed, and included the new account information.
A month later, the contractor submitted its invoice to the city, requesting a total of nearly $750,000. So the city sent those funds to the new bank account from the September email.
There was just one problem: that email didn’t come from the contractor.
It was a spear phisher — one who was now $750,000 richer.
Ocala eventually reclaimed $717,000 of the stolen funds; the remaining amount was unaccounted for. Presumably, the spear phisher had already taken a portion of the money out of the account.
The investigation is still ongoing, with no public details available. It’s unclear whether there are any leads as to the spear phisher’s identity or whereabouts.
How Can I Protect Myself from Spear Phishing?
We’ve got some bad news to get out of the way before we continue: spear phishing is not easy to avoid.
Spam filters are pretty good at catching fake bank and Nigerian prince emails. These generic phishing attacks can be detected by automated systems as they tend to be very similar to each other.
But spear-phishing emails are different.
They come from real or real-looking email addresses, not clearly bogus ones like “email@example.com” or “firstname.lastname@example.org.”
Often, they include personal information that appears in legitimate emails you get — your name, interests, plans, and acquaintances.
In some cases, they can be indistinguishable from non-phishing emails. So if they’re not easily detectable, what can you do?
Well, you’ll need to get smarter about security overall. Rather than watching out for spear phishing specifically, practice better security in all aspects of your digital life.
It’ll keep you alert for spear phishing messages and protect you better if you do receive one. And you’ll improve the rest of your online safety as well.
Lock Down Your Internet Presence
Spear phishers depend heavily on your publicly-available information to design their attacks.
They harvest as much as they can from your social media profiles. Then they use that information to give a more convincing performance as someone you know.
So it stands to reason that the less information they have on you, the less likely they’ll be able to fool you.
Making your social media profiles private is one of the best things you can do for your security, period. But it’s especially important if you want to avoid spear phishing.
But don’t just lock down your Facebook and Instagram. Check your company and school websites for any mentions of you or your contact info, too. If you find any, request that they be removed.
Never Open Unknown Links or Attachments
Coworker send you a spreadsheet to review? Dad send you a link to a supposedly funny video?
Stop! Don’t click anything — you’d be amazed at where malware can hide these days.
Always double-check the sender’s email address before opening any links or attachments. Look carefully for switcheroos like “0” instead of “o” or “1” instead of “l” — spear phishers often use these tricks.
Check the email provider, too. If Dad’s email is “email@example.com”, a spear phisher may impersonate him by writing to you from “firstname.lastname@example.org” and hope you don’t notice.
Even if the email address checks out, that doesn’t mean it’s safe. Remember: spear phishers can spoof email addresses perfectly with the right tools.
If you get an attachment or link, contact the sender via some other means before clicking it. A quick text, phone call or in-person chat should confirm that the email was legitimate.
Don’t Reuse Passwords
Hopefully, you never fall for a spear-phishing attack. But if you do, you’ll be much better off if your passwords are all unique.
Once a hacker gets one of your passwords, they’ll try it on every site they can. If you reused the password for another account, that account is now compromised, too.
And if that account happens to be for your bank, email, school or other important business, the damage could be massive.
Use a different password on every website to minimize the extent of any potential spear-phishing damage. A password manager like Bitwarden or KeePassXC can help you keep track of them all.
Use Quality Security Software
Antivirus programs are excellent at blocking regular phishing sites, but spear-phishing is a whole different ball game. After all, antivirus programs are designed to catch other programs, and spear phishing is far more personal than a program.
The best antivirus in the world won’t protect you from spear phishers and other skilled social engineers. But it’s still critical that you use one, especially on Windows and Android.
If you’re a victim of a different malware attack, your information is probably out there in the sketchiest parts of the internet. And that makes you more vulnerable to future attacks, including spear phishing.
In addition to antivirus software, we recommend using a VPN.
VPNs encrypt your internet traffic and let you hide your IP address from the sites you visit. This protects you from many types of hackers and other snoops, including your ISP and government.
Many VPNs also come with server-side malware and phishing blockers. These don’t cover spear phishing, but they’ll stop you from visiting malicious sites or downloading infected files.
Bottom line: no software can fully protect you from spear phishing. The onus is on you to practice good security and be aware of all the potential threats out there.
But using a good antivirus and VPN will go a long way towards stepping up your security. You need to know how to defend yourself no matter what — but having strong armor always helps.
So in short, spear-phishing is a sophisticated, targeted attack commonly used against companies and high-profile individuals. The attacker pretends to be someone you trust in order to steal data or money from you.