Skip to main content

What is spear phishing? Definition and risks

A man receives a spear phishing email on his laptop.

Phishing attacks are a persistent threat in a highly digital world, one that is an ongoing concern for both individuals and organizations. Spear phishing attacks are a subset of these types of cybercrimes that are of particular concern. But what exactly is spear phishing and is it possible to prevent these attacks?

Spear phishing: A definition

While phishing is a general term for cyberattacks carried out by email, SMS, or phone calls, some may wonder what targeted phishing attacks are called. The answer is spear phishing. In the simplest terms, these are highly personalized cyberattacks that target specific individuals or companies. Usually, these attacks are carried out through spear phishing emails that appear legitimate to the recipient and encourage them to share sensitive details with the attacker. Although the goal of spear phishing attacks is usually to steal information such as login credentials or credit card information, some are engineered to infect devices with malware. Often, government-sponsored hackers and hacktivists are the perpetrators of spear phishing scams. However, individual cybercriminals also carry out these attacks with the intention of perpetrating identity theft or financial fraud, manipulating stock prices, committing espionage, or stealing confidential data in order to resell them to governments, private companies, or other interested individuals.

What makes spear phishing scams so successful—more so than standard phishing attacks—is that the attackers conduct extensive research on their intended targets. Using the information they find, they can use social engineering techniques to create exceptionally tailored attacks that dupe the target into thinking they are receiving legitimate emails and requests. As a result, even high-raking targets within organizations, such as C-suite executives, can find themselves opening emails they thought were safe. These kinds of inadvertent mistakes enable cybercriminals to steal the data they need to attack the targeted network.

How do spear phishing attacks work?

There are essentially five steps to successful spear phishing scams. These are:

  1. Defining the goals of the attack
  2. Choosing the target(s) through preliminary research
  3. Identifying a shortlist of targets and researching them thoroughly
  4. Creating the spear phishing email using the information gathered and social engineering techniques.

These targeted attacks work because spear phishing emails create a sense of familiarity with the recipient’s life. Attackers spend large amounts of time and effort to track down as many details of the recipients’ work, life, friends, and family as they can. By scouring the internet and social media profiles on platforms like Facebook and LinkedIn, phishers can find information such as email addresses and phone numbers, a network of friends, families and business contacts, frequented locations, as well as things like the company they work at and their position, where they shop online, which banking services they use, and more. Using all of this information, attackers can build extensive profiles of their potential targets and create spear phishing emails using social engineering techniques that are personalized and appear legitimate because they come from individuals or companies they regularly engage with and contain information that could be authentic.

The email would usually request that the recipient respond immediately with certain details or contain a link where they would have to enter these details on a website that spoofs legitimate sites. For example, the email’s link may direct them to a fake website for their bank or preferred e-commerce site where they will have to log into their account. At this point, the attacker will be able to steal the login details and passwords for their own malicious means. Sometimes, though, the email contains an attachment or link that, when the recipient downloads or clicks, installs malware on their device. The attacker can then use this to steal the information they need or hijack computers to organize them into enormous networks—called botnets—that can be used to execute denial of service (DoS) attacks.

However, it is important to remember that not every internet user or social media profile is a good target for spear phishing. Because it requires more effort than standard phishing, cybercriminals often look for high-value targets. Often, attackers will use automated algorithms to scour the internet and social media to look for certain information—such as passwords or PINs—and identifies high-value individuals that hold more potential for successful spear phishing attacks.

These scams have become so sophisticated that they have become almost impossible for the average person to attack. This is why, although there are no foolproof spear phishing cybersecurity measures, understanding how these attacks work and learning what signs to be aware of can be helpful in avoiding these attacks.

Identifying a spear phishing scam

One of the keys to learning how to prevent spear phishing is to understand the different techniques phishers employ to ensure the success of their attacks. This way, individuals and company employees can be on guard against spear phishing scams. When receiving an email with any of the below red flags, it is important to treat the email cautiously.

  • The email is designed to create a sense of urgency or panic—the email can purport to come from a company manager and urgently require login details to execute a time-sensitive action.
  • The language is designed to trigger emotions—such as fear or guilt—that motivate the recipient to take action.
  • The email address looks incorrect—perhaps the domain is not correct, or the name format is unusual.
  • Obvious spelling and grammar mistakes, especially in emails from big organizations like banks.
  • Asking for sensitive information and personal details.
  • Links that are misspelled or not formatted correctly, do not match the destination address when hovering over the link.
  • Unsolicited attachments, especially those with unusual file names.
  • Use of pretexting, such as saying your login credentials are about to expire and must be changed immediately using the link in the email.

What’s the difference between spear phishing and phishing?

While they are both types of cyberattacks, it can be important to understand how spear phishing attacks differ from phishing attacks. Both are used by cybercriminals to lure users into sharing sensitive personal information, but essentially, the first are directed attacks that are personalized to the intended target, while the second are broad attacks intended to “phish” for whatever sensitive data they can dupe users into sharing.

Phishing attacks usually involve generic emails that try to force the receiver to share personal data like passwords and credit card details. The phisher then uses this information for malicious means, such as identity theft or financial fraud. Crucially, phishing attacks are not at all tailored to the recipient. The cybercriminals are essentially trying their luck and going for quantity (sending out a lot of phishing emails) rather than quality (creating phishing emails using more sophisticated techniques that might have a higher chance of success). Usually, these emails impersonate big companies—like banks or e-commerce stores—and contain malicious links that dupe recipients into sharing their data or installing malware on their devices.

Conversely, spear phishing scams are highly targeted attacks that are very personalized to the intended victim. Because they contain details relating to the specific recipient, spear phishing emails appear to be more legitimate—especially since they often come from individuals or organizations that the recipient is familiar with. As such, cybercriminals have to invest significantly more time and effort into launching spear phishing attacks—and are more likely to succeed.

For those wondering what targeted phishing attacks are called, there are two specific subsets along with spear phishing: whaling and Business Email Compromise (BEC).

Whaling attacks are a third type of attack that have many similarities to phishing and spear phishing scams. Whaling specifically targets high-profile individuals such as C-suite executives, board members, celebrities, and politicians. These attacks also use highly personalized emails to attempt to steal financial, sensitive, or otherwise confidential information from companies or organizations and can cause significant financial or reputational damage to the institution involved.

The final type of phishing attack, BECs, impersonate company employees to perpetrate financial fraud on organizations. In some cases, the email may purport to come from a C-suite executive and gets a lower-level employee to pay a fraudulent invoice or transfer funds to the “executive.” BECs may also take the form of an email compromise, where the attacker hijacks an employee’s email to get vendors to pay fake invoices or get other employees to transfer money or confidential information.

How to prevent spear phishing

Traditional spear phishing cybersecurity is often not enough to prevent these attacks because they are exceptionally well executed. As a result, they are increasingly difficult to detect. One simple mistake can have severe consequences for the target, whether they are an individual, government, business, or non-profit organization. Despite the prevalence of these attacks—and the sophistication of their personalization—there are many measures that individuals or organizations can implement for spear phishing prevention. While these will not completely eradicate the threat of these attacks, they offer additional layers of security that will make them less likely to occur. Below are some expert tips on how to prevent spear phishing.

  1. Conduct regular checks for suspicious emails, such as those requesting password changes or containing suspicious links.
  2. Use a virtual private network (VPN) to protect and encrypt all online activity.
  3. Use an anti-virus software to scan all emails for potentially malicious email attachments, links, or downloads.
  4. Learn to check the veracity of an email source.
  5. Learn how to verify URLs and websites to avoid opening malicious links.
  6. Instead of clicking links in an email, independently go to the organization’s website and search for the necessary page.
  7. Ensure all software is up to date and running the latest security patches.
  8. Beware of sharing too many personal details online—if necessary, check social media profiles and delete anything that could be used by phishers, and ensure privacy settings are set to the highest levels.
  9. Use a password manager and practice smart password habits, including creating complex passwords for different accounts and changing them regularly.
  10. Where possible, enable multifactor or biometric authentication.
  11. If in doubt about the source of an email, reach out to the person or organization to verify whether they sent it and requested the information being asked for.
  12. Companies can implement security awareness training to ensure employees are aware of the risks of these attacks and how to mitigate them.
  13. Organizations can conduct regular phishing simulations to train employees on how to recognize and deal with suspicious emails.

Spear phishing attacks are not inevitable

Most internet users have a basic understanding of phishing, but it is important to understand what’s the difference between spear phishing and standard phishing. Because spear phishing emails use social engineering techniques that require copious research, these attacks are highly customized for their intended targets and, therefore, have a far higher chance of success than the standard phishing attack. While these attacks will always pose a risk, it is possible to try and mitigate them. Taking steps to know what type of warning signs to look out for in suspicious emails, regularly using VPNs and anti-virus software, and being wary of suspicious links and attachments can be helpful in avoiding spear phishing attacks.

Get Kaspersky Premium + 1 YEAR FREE Kaspersky Safe Kids. Kaspersky Premium received five AV-TEST awards for best protection, best performance, fastest VPN, approved parental control for Windows and best rating for parental control Android.

Related Articles and Links:

How to prevent cyberattacks

I’ve been the victim of phishing attacks? What now?

My email has been hacked – what should I do next?

Ways to avoid social engineering attacks

Related Products and Services:

Kaspersky Standard

Kaspersky Premium

Kaspersky Endpoint Security Cloud

Kaspersky VPN Secure Connection

What is spear phishing? Definition and risks

Spear phishing attacks post a significant risk. But what are these cyberattacks and how can users protect themselves?
Kaspersky logo

Related articles