phish, phishing, spear phishing, employees, phishing campaign, social engineering

Social engineering and spear phishing are often the primary means by which attackers infiltrate modern corporate networks. While phishing attacks have been around for a long time, spear phishing is a newer type of attack.

You may have heard both terms being used, but are you familiar with the difference between the two?

Traditional phishing

Traditional phishing attacks are usually conducted by sending malicious emails to as many people as possible. The attackers know that the more people they reach, the more people are likely to fall victim. It is therefore not unusual for phishing attacks to target thousands, or even millions of people at once, independent of where they live or work. To fool, trick or attack the victims, the phishing email usually appears to come from a trusted source. For example a bank or someone the victims may know.

The phishing message will often try to lure the victims into opening an infected attachment, or into clicking on a link that will take them to a malicious website. The attacker will then attempt to infect and take control over the victims’ computers or to harvest their usernames and passwords.

Spear phishing

A spear phishing attack will also appear to come from a trusted source. However, unlike a traditional phishing attack, a spear phishing attack will be highly targeted. The message will be sent only to one person or a few, carefully selected individuals. The overall goal of the attack, will determine who gets selected as intended victims.

Before crafting the message, the attacker will research the intended victims’ social media profiles, like LinkedIn, Twitter and Facebook. Afterwards, the attacker will try to build a profile on the victims’ life, work and interests. This will be used to create a highly customized message that will come across as credible and relevant to the victim. In addition, the attacker will gather information about the victims’ friends and colleagues. Such as their names and email addresses. This in order to make the email appear like it is sent from one of them.

Because spear phishing attacks are highly targeted and customized, they are far more likely to succeed than traditional phishing attacks. This is concerning as the spear phishing attackers usually have very specific goals. Typical goals are accessing highly confidential information or corporate business secrets. A company can also be targeted as a stepping stone for getting access to another company. A small company may therefore be just as prone to a spear phishing attack, as a larger company. The result may in both cases be substantial revenue loss or damaged reputation.