What is Spear Phishing?

Phishing refers to a scam analogous to fishing — hence the name — in which the scammer tries to obtain valuable information by luring or baiting a person with an authentic-looking but phony communication that gains credibility by imitating a well-known corporate brand such as that of a bank, credit card company, etailer, social media site, or payment site. The term originated in 1996. Spear phishing continues the analogy and denotes a specific style of phishing.

Phishing emails are sent out to a wide audience and generally give a dire warning, stating that something bad can only be avoided by the recipient confirming certain information. The information is usually personal and critical, like a Social Security number or your account number and password. A hyperlink in the email takes the recipient to a website where the information is collected, with the result being that the recipient loses a bank account or is the victim of identity theft.

Spear phishing emails differ from phishing emails in several ways. First, they are sent to a carefully targeted audience, like employees of a certain organization, or members of a particular group. Second, the email appears to come from a colleague within the organization or group, and they are often constructed with more care than phishing emails, which may exhibit obvious signs of fakery. Third, the goal is not to simply get a name, password, or credit card information from an individual, but to infiltrate a company’s computer network.

One of the most notable spear phishing attacks, often referred to as “whaling” because of the caliber of the target audience, was a 2008 double whammy attack against around 20,000 senior corporate executives. Two thousand fell for the first attack but only 70 for the second. Both of the attacks masqueraded as an official subpoena to appear before a Federal grand jury, and clicking the link to what was supposed to be a fuller copy of the subpoena actually led to a site where an additional click installed software on their computer that allowed the theft of log-in credentials. The malware in the first case was caught by only eight of the top 35 anti-malware products, and the modified malware was only picked up by 11 of them in the second attack.

There are steps that people can take to avoid spear phishing scams. If one suspects a scam, one should call the person an email appears to be from. One should never click on any links in a suspicious email or open any attachments. It is also a good idea to call one’s IT department or Internet Service Provider (ISP) for guidance. Rather than just deleting suspicious email that may arrive at one’s work, one would do better to report it to the proper person in one’s company.