Phishing vs Spear Phishing: What you need to know

Phishing attacks are often the first wave of attack that leads to destructive data breaches. While email filters can halt large-scale phishing emails, a seemingly personalised email from a recognised sender could slip right through those filters. For this reason, phishing and spear-phishing are effective forms of attack.

Criminals use phishing attacks to collect sensitive data or system access, which is the starting point for their planned attack. What comes next is usually a targeted ransomware attack that encrypts vital business data against your will.

Businesses must educate their staff up to the CEO level on the most common phishing and spear-phishing attacks that are likely to hit their inboxes.

What Is Phishing?

Phishing is a scam in which cybercriminals send fake messages via email or text message that appears to be from a legitimate source—these messages direct recipients to a fake website designed to capture personal information. Alternately, the message may contain a malicious attachment that infects user devices with malware.

A phishing attack aims to extract sensitive information from its victims, such as financial information, login credentials, personal details, or other sensitive business data. A phishing attack may also release ransomware malware on the user’s device, which then spreads, causing untold damage to the device and network.

Most phishing attacks include links to counterfeit domains that look like actual websites, though with small changes that escape the eye. These links are often embedded in a message with other legitimate links, making them even harder to spot. These and other techniques help them escape detection from the human eye as well as email security filters. 

Phishing attacks target millions of individuals and organisations each day. While there are several types of phishing attacks, most have a broad target audience and are deployed to hundreds if not thousands of email addresses at a time. Spear phishing, however, is a form of phishing that narrows to a smaller, more focused target audience.

What is Spear Phishing?

Spear phishing is more intricate than general email phishing because it involves sending a more targeted, well-crafted malicious email or text message to a specific person rather than to groups of people. Cybercriminals use social engineering tactics to tailor personalised emails to the intended recipients. 

The email’s subject lines are topics of interest to the targets, which tricks them into reading the message and then clicking on included links or attached files. Or, the attacker disguises themselves as a trustworthy friend or professional entity to acquire sensitive information.

Because of all the time and detail put into a spear-phishing message, it is the most successful form of phishing, accounting for 91% of successful attacks. Because spear phishing messages are so precisely tailored, even email security application filters can miss them. The message appears legitimate and non-threatening, so the recipient unsuspectingly opens it. 

The creator of the spear-phishing email gathers some or all of the following details about the victim. All this information is easy to collect from business directory websites like LinkedIn. Another quick search through social media can yield additional personal information that the criminal uses to tweak the spear-phishing email further.

These personal details include the following:

  • First and last name
  • Job title and job description
  • Place of employment
  • Email address
  • Hobbies & interests

All it takes is for one intended recipient to access a malicious link, and the damage is done. Even the savviest of executives can be tricked when the message contains enough valid information.

Spear Phishing vs Phishing: Main differences

As stated, spear phishing is a type of email phishing, though there are some distinct differences. Phishing requiring less effort because the criminal agent sends a single email to a group of people. Because of the broad audience, the email content is generic and will not likely be enough to dupe many recipients. Standard phishing prevention practices offer adequate system protection.

On the contrary, spear phishing is a customised attack, and the content is focused on the victims. So, the criminal must perform extensive research on the targets to be convincing. For instance, if the target frequents a golf course, the malicious email may contain an offer for a free round of golf with a confirmation link. The victim is motivated by the free offer and clicks the link, downloading malware onto their computer.

Here are some additional variations between general email phishing and spear phishing.

Personalisation

While phishing has a broad audience, spear phishing targets specific people or small teams within an organisation.

Convincing messages

Phishing messages are general and often imitate a bank or a password reset request. With spear phishing, the message is customised to the targets so that it looks convincing.

Automated vs manual attack

Phishing scams are automated, while spear phishing is more manual and tailored. 

Examples of Spear Phishing vs Phishing Email

Next, let’s take a look at a typical phishing email compared to a spear-phishing message. First, here is a sample of a bulk phishing email. In this case, the attacker is impersonating Hulu.


Dear Customer,

Someone tried to log in to your Hulu account. If it wasn’t you, please use the following code to confirm your identity. Log in here.


Note that this is a bulk phishing email and doesn’t address the target by name. Because Hulu is a trusted brand, someone will likely click the link.

Next is an example of a spear-phishing attack. Here, the attack is targeted, and the attacker impersonates the target’s colleague; they both work for ‘examplecompany’.


Subject: URGENT
From: Jenn Anderson jenn@examplecompany.com
To: Jonathan Marks jonathan@exmaplecompany.com

Hi, Jonathan,

I’m at DawnTech preparing for tomorrow’s presentation, and I just spoke with Arnold from the marketing team. He informed me that YOU are featured in the new brochure!

He provided a copy of the brochure (attached), and it seems they have the wrong details for you. Could you please take a look and let me know if you want any changes? 

Thank you in advance,

Jenn 


In this second example, the attacker exploits a professional relationship and requests a favour, subtly asking for an attachment to be downloaded.

In this final example, the attacker cleverly targets security-conscious individuals with a fake security software renewal order.

McAfee Phishing example email

These examples show how phishing succeeds by volume vs spear-phishing succeeds through more sophisticated messaging.

What is the business impact of a Spear Phishing or Phishing attack?

The business impact of an effective phishing campaign is difficult to evaluate. When cybercriminals steal sensitive data with the intent to sell to your competitor, they often do so without your knowledge. 

A more noticeable impact on business operations is a ransomware attack made possible by an initial phishing attack. From that email, malware can encrypt vital business data in exchange for a ransom payment for the de-encryption key. Sometimes, even cloud data backups are also encrypted.

A less obvious repercussion involves your company’s reputation. If your company experiences a data breach, your brand can take a significant hit. Investors may be less likely to support the business. Even if you recover all the data, it’s usually too late to curb the public relations fallout.

Regulatory fines are another problem. Your business may pay steep financial penalties for failing to secure data. Further, mitigating a data breach disrupts day-to-day business operations, taking time and resources away from other business priorities.

How does Phishing lead to a Ransomware Attack?

Simply put, phishing is usually the first step in a ransomware attack. The target receives the phishing email and clicks a link that releases malware into the device. That eventually cascades into the network, unleashing a full-scale ransomware attack.

With the rise of the remote work environment, more and more workers perform most of their tasks online. This has led to a wave of ransomware attacks delivered by email. These emails use relevant subject lines to attract victims. Many include subjects relating to coronavirus. 

One of the most damaging attack campaigns is by newer ransomware called Avaddon (source). Over a million messages containing a malicious link can be (and has been) deployed to businesses within one week. Infected computers show a ransom note demanding bitcoin in exchange for decryption key software that supposedly releases the affected hard drive(s).

Other similar email-based ransomware campaigns are targeting businesses worldwide—many claim to be from the department of health or healthcare services with a message regarding COVID-19. Victims are urged to click a link to view an important document or healthcare appointment.

The distribution volume of these phishing emails reaches the tens of millions worldwide. With those numbers, criminals will achieve enough success to make their efforts worthwhile. All it takes is for one or two people to click on a malicious link.

How Phishing leads to Ransomware attacks

How to avoid a Phishing Attack

The best way to defend against phishing attacks is utilising an arsenal of security tools. You should have anti-phishing and anti-malware services running on your email servers, as well as the latest antivirus software running on all user devices, including employees’ personal devices if they use them for work. Finally, staff should receive regular security training.

Anti-phishing and anti-malware services will block and quarantine most phishing and malware that arrives via email. Up-to-date antivirus software ensures that any phishing attempts that manage to slip through the email filters will be detected and handled.

Phishing attacks succeed because they look like legitimate messages. So, your staff must be trained to scrutinise all incoming messages, inspect URLs, and note any small mistakes that reveal the email as a fake. Employees need to understand that if they don’t recognise an email address or can’t verify the sender, they should not click on links or other attached content. Furthermore, they should report any suspicious emails to their IT department immediately.

How to avoid a Spear Phishing attack

The surest way to avoid a phishing attack is to train staff never to click links or open attachments unless they are sure the email is legitimate. If the email is asking to verify account details, they must not use the provided link. Instead, staff should be aware that they must always go to the company’s homepage and log in from there to access their account. Any suspicious emails should be reported to the IT department.

Because spear phishing messages are far more deceptive, staff must be more vigilant to avoid falling victim to an attack. Here are some helpful tips on what every individual can do.

Review your online profiles

How much personal information are you posting publicly? Adjust your privacy settings to limit what a potential hacker can see. 

Use smart passwords

Many of us are guilty of using one password or a set of passwords for multiple accounts. The danger here is that if a cybercriminal gets hold of one password, they can use it to access any other account with that password. Your personal and professional passwords should be unique, with random phrases, numbers, and letters.

Update your software

Don’t put off those updates. Whenever a software provider notifies customers of an update, know that the cybercriminal community is aware. They know the best time for an attack is just before users install those updates because the present software version is vulnerable. 

Use common sense when opening an email

Verify that the email addresses of known senders are correct and be suspicious of any message asking you to provide login credentials. Legitimate businesses will never ask for those through email.

Finally, ensure that there’s a data protection program at your organisation. A data protection plan combines employee training and data security best practices to prevent data loss due to phishing attacks. Many midsize to large corporations have specialised data loss prevention software installed to protect sensitive data if a user falls victim to a phishing or spear-phishing scam.

Conclusion

Phishing and spear-phishing attacks continue because they are effective. No matter how sophisticated the email filtering or antivirus protocol, enough malicious email makes its way through to initiate ransomware attacks, thus profiting the criminal agent. 

Spear phishing, in particular, is challenging to identify due to the customisation. Every user must understand the importance of scrutinising all incoming messages, even those that appear to be from trusted associates. With ongoing training and security software services and updates, vigilance is the best defence against phishing attacks.

Securus Communications is on hand to help you with every aspect of network security. Anti-Phishing, Antivirus, Anti-Ransomware, Immutable Backups, DR, and even staff security training are just a few examples of where we can help secure your network operations.

Scroll to Top