Advanced phishing

What is spear phishing?

by Egress
Published on 10th Sep 2020

How is spear phishing different from phishing?

Essentially, spear phishing can be seen as a more sophisticated form of phishing. Both kinds of attacks attempt to trick victims into volunteering sensitive, commercially valuable information, predominantly through email. But while one phishing email may target hundreds or thousands of users, spear phishing is highly targeted. A cybercriminal engaging in a spear phishing attack is likely to have done research on their victim to appear more legitimate.

As such, a spear phishing attack is likely to seem more genuine than a standard phishing email, and consequently will be harder to spot and avoid. By impersonating a known contact, victims are more likely to divulge sensitive information. Additionally, spear phishing attackers are likely to have a concentrated aim or goal in terms of the kind of information they want to gain from their victims.

Why is spear phishing an increasing threat?

Everyone has access to email, which is why it’s the primary attack vector for spear phishing. Right now, due to changes in remote working as part of the COVID-19 pandemic, we’re all sending more emails to stay in touch with colleagues and communication with external partners and clients has increased. As such, the threat of a spear phishing attack also rises.

This switch to digital communication, more privileged information and sensitive data is being shared through email than it was before. Cybercriminals know this and are keen to target employees who may be sharing this data in unfamiliar ways. It’s also probable that stressed and busy workers are less likely to question why they are sending information over email. This behaviour is incredibly difficult to mitigate – and has only gotten worse with employees changing routines due to remote working, and worrying about the pandemic and subsequent economic downturn. An email that appears to be from a senior figure at work is likely to receive a quick response as employees try to demonstrate productivity– yet, on closer inspection, that email may be a spear phishing attack.

Added to this risk are the complications created by the rise in remote working owing to the COVID-19 pandemic. For most organisations that means a change in normal operating procedures, which might even lead to less stringent security protocols than those in place at the office.

Another major issue is found in onboarding new employees. New starters are likely to want to make a good impression early on, which might mean responding to emails quickly even if they appear unfamiliar. It’s also likely that new employees won’t be familiar with senior figures’ mannerisms or email etiquette, meaning they’re less likely to spot a potential spear phishing attempt.

Are spear phishing attacks getting more sophisticated?

Yes. Spear phishing attacks are getting more sophisticated. As more and more users have become aware of basic phishing attacks and general security best practice, attackers have had to adopt more sophisticated techniques to get the sensitive data they’re seeking.

The most sophisticated cybercriminals are now looking to social media sites such as Facebook and LinkedIn to gather information about their victims before attempting an attack. Some even go so far as to use services found on the dark web to scrape social media on their behalf, all in order to find out personal details to make their spear phishing attacks appear legitimate.

For instance, Bob is far more likely to answer an email referencing details of his colleague Alice, even if it’s from an otherwise unknown source. It only takes a small amount of additional information – say, the fact that Alice and Bob celebrated a work function at a local restaurant recently – to make an otherwise suspicious email seem genuine.

Is it just email accounts that are targeted?

Until recently, spear phishing attackers mostly focused on tricking victims into giving out their information through email. However, ‘smishing’ (SMS-phishing) is becoming increasingly common. Essentially, this is a form of phishing that uses similar sophisticated personalization to scam users into giving out information through text messages.

What is smishing?

Smishing is particularly dangerous as often people are more likely to trust a text message than an email – even if it comes from an unfamiliar number. A simple explanation from a friend that they had changed their contact details might be all it takes to convince a victim that the person they’re talking to is genuine.

An additional form of phishing to be aware of is voice phishing or ‘vishing’. This is an attack where a cybercriminal persuades a victim to share personal details over the phone by pretending to be some form of authority figure. For instance, an attacker may claim to be calling from a victim’s bank and ask for passwords or account numbers for a security check. Of course, the cybercriminal is actually using the details to steal money or commit fraud.

How does spear phishing work?

Spear phishing – both through email and through text/SMS (smishing) – works for attackers by exploiting a sense of urgency, for example asking someone to immediately pay an overdue invoice that’s been previously ‘forgotten about’. Additionally, by manipulating users through pretending to be either a trusted friend, colleague or senior manager, cybercriminals engaging in phishing are able to rely on peoples’ existing relationships to accomplish their aims.

Frequently, spear phishing attacks appear to be legitimate emails from contacts within a victim’s organisation by closely replicating (or attempting to replicate) an internal email address or email style. Finding chains of command is now easier for attackers thanks to job-related social media sites such as LinkedIn. Additionally, many companies publicly publish management charts on their own websites.

Spear phishing techniques can be both complex and very simple. A tactic often used is to replicate the exact style of an organisation’s internal emails, but misspell the company’s name in the email address. This might be as straightforward as ending the address with ‘’ rather than ‘’. Users are likely to only quickly glance at an email address, so will probably miss that this isn’t a genuine internal email.

How can you spot a potential spear phishing attack?

Every spear phishing attack is different, though there are several common features that you need to look out for to avoid falling for a scam.

  • Check the email address
  • Hover over links
  • Question the urgency
  • Don’t bypass security measures
  • Check the tone

Check that the email address is genuine

Often, a spear phishing attack will claim to be from a trusted friend or a colleague. Ask yourself: Does the address (not just the display name) match previous communication? Is it in the same style of other contacts within your organisation? Are names spelt correctly and consistently.

Hover over links

Often, a link containing malware or spyware may be masquerading as a genuine link or as text within an email body. Hover your cursor over any links in emails to check the web address before clicking and if you’re still unsure, navigate there via a search engine instead.

Question the sense of urgency.

A spear phishing attack relies on victims responding quickly without properly questioning what they’re being asked to do. Sometimes this might be a request to urgently share client details ahead of a meeting or even to transfer funds in the absence of a manager. Always question what an email is asking and whether it’s a task that you’d normally be responsible for. In all cases, it’s better to double check with a colleague or manager before potentially making a costly mistake.

Don’t bypass usual security procedures.

An attacker may ask you to share files externally or directly reply with information you’d normally never send over email. Don’t fall for it – a genuine contact is very unlikely to ask you to bypass security measures put in place for protection. And if you do need to share sensitive data via email, make sure you use encryption to keep that data safe – even when you know it’s going to a genuine recipient!

Check the tone and language used is consistent.

It’s likely you’re familiar with the way your colleagues and managers use email communication. If you receive an email that seems out of character, there’s a chance it’s a spear phishing attack – particularly if the language is inappropriate or misplaced.

Trust your gut instinct.

If something feels wrong, it probably is. Keep this checklist in mind and remember to report potential spear phishing attacks to your organisation’s IT security team. It’s better to spend five minutes verifying something than accidentally leaking data to a cybercriminal – and your manager and wider organisation should understand that.

Find out how good you are at spotting a phish - take our Spot The Phish quiz

How can you prevent a spear phishing attack?

As well as maintaining robust security protocols and remaining vigilant towards incoming email, there are software tools you can employ to minimise the risk of a spear phishing attack.

  • Spam filters
  • Malware detection
  • Staff training
  • Robust reporting procedures
  • Employ intelligent email security

Spam Filters

These should be set up in the interface of your Outlook (or whichever other email server you use). Spam filters sort potential spam and phishing emails into a separate inbox for you or your IT admin to review aside from your primary messages.

Malware detection.

Make sure your anti-virus and security software is fully up to date to protect against malware contained within spear phishing attacks.

Staff training.

All of your staff have access to email, so any of them could be a victim of a spear phishing attack. It’s important to make sure they’ve all received thorough training in how to spot a potential phishing or spear phishing attack. This should be a priority for any new employees as part of their onboarding process. 

Robust reporting procedures

If an employee is targeted by an attack, it’s important that there’s a reporting procedure in place to prevent a future spear phishing attack from the same source. Make sure employees know how to safely report phishing and spear phishing attacks without falling victim to them. And if they do make a mistake, you need to have a workplace culture that empowers them to come forward as soon as possible, so you can deal with the problem – rather than them hiding it and allowing it get even bigger.

Employ an intelligent email security solution.

Tools such as Egress Prevent use contextual machine learning to help stop email data breaches (like responding to spear phishing emails) without affecting productivity, while Egress Defend delivers real-time teachable moments through technology to improve email security behaviors and reduce risk for the long term.