BlogScams16TH NOV 2023
AuthorSamir Yawar
7 min read
Scams

Spear Phishing vs Phishing: How to Spot Targeted Attacks

Twitter
Facebook
WhatsApp
Email
LinkedIn
a feature image about spear phishing vs phishing

Today we will explore spear phishing vs. phishing and how dangerous they can be. But first, let us begin with a story.

Tech Mogul Emily is on top of the world. Her company is releasing the most coveted smartphone on the planet soon. Sales are projected to be in the millions within the first month. She’s got loving fans. She also has envious business rivals who want to replicate her success.

One of her business rivals hires the infamous hacker ‘Malus’ to get a peek at her plans. Malus has one objective – accessing Emily’s phone specs and marketing plans. And since she’s no ordinary CEO, Malus must think out of the box to steal the heavily guarded confidential information. To get access to the information, Malus will rely on spear phishing. A slow yet deliberate campaign that aims to trap Emily into letting her guard down.

So what exactly does spear phishing entail and how is it different from regular phishing?

Spear Phishing vs Phishing - What is It?

Phishing is a scam that involves tricking people into giving out personal, professional, and financial information. It is a widespread and generic form of cyberattack where the attacker casts a wide net, sending out mass emails or messages to a large number of people.

Phishing content often uses generic greetings (e.g. “Dear Customer”). It is designed to look like it comes from reputable sources, such as banks, online services, or government agencies, to trick recipients into providing sensitive information like login credentials, credit card details, or personal data. This information is then used to cause financial loss, even identity theft.

Phishing, however, doesn’t discriminate when it comes to victims. Spear phishing, on the other hand, does. 

Spear phishing is the stuff spy thrillers and industrial espionage flicks are made of. This technique targets a specific person, group or business. It can be the IT security guy in charge of the server room, or a big-shot CEO who has company secrets on their laptop.

In this case, Emily is the high-profile target Malus is after.

Phishing

Daniel Oliveira, a renowned cybersecurity expert says that deception is “as old as human beings, and phishing is deception in cyberspace.”

As human beings, we are used to making thousands of decisions every minute. Most of us decide to take a mental shortcut and make quick, split-second decisions. This is because most humans believe that other humans are more likely to tell the truth than lie - and thus, they become easy targets of phishing. 

If someone is to receive an email from their bank requesting personal information to secure the said bank account, most would believe the email to be legitimate.

Here's a cautionary statistic:

Phishing relies on:

  • Broadly targeted attacks

  • Mass distribution of fraudulent messages

  • Commonly impersonating trusted entities

Spear Phishing

Oliveira outlines why phishing works. She illustrates this using Nobel-winning psychologist Daniel Kahneman’s two systems of thinking model.

Human beings rely on two thinking models for making decisions:

  • System 1: fast, intuitive and emotional decision-making.

  • System 2: Slow and deliberate decision-making.

We touched on System 1 earlier. Most common phishing scams are designed to account for impulsive actions. 

For spear phishing attempts, cybercriminals assume that their targets are a tougher nut to crack. Those who rely on System 2 AKA critical thinking for their decision-making.

Here’s a story that illustrates how a spear phishing attempt can succeed based on System 2 decision-making model.

In 2016, the Hillary Clinton presidential campaign suffered a huge reputational loss. And it happened when her campaign chairman John Podesta’s team clicked on a phishing email.

With a simple click, his team inadvertently allowed a foreign country access to politically sensitive information.


A phishing email sent to John Podesta.
John Podesta’s email account gets hacked / Source: WikiLeaks

As you can see, the attackers made the spear phishing email look like the genuine article. They impersonated Google and disguised shady links behind URL shorteners. They also create a sense of urgency that compels the target to take action.

Whoever tried to change Podesta’s password clicked on the shortened URL rather than the proper "https//myaccount.google.com/security" page. The result - his account was hacked.

This level of sophistication makes all the difference between phishing vs. spear phishing threats.

Things to watch out for in spear phishing:

  • Use of social engineering tactics. Cybercriminals do their research, relying on human psychology rather than technical loopholes to find the weakest link.

  • Targeted attacks. The attackers specifically select and research the victim. 

  • Personalized content to deceive victims. To disguise the attack, a spear phishing attempt calls you by name, appearing legitimate to the indiscernible eye.

Key differences between Spear Phishing and Phishing

Impact and Consequences of Spear Phishing Emails

Employing a mix of social engineering and tech hacking skills, Malus manages to gain access to information about the phone Emily is launching in the coming months. He now knows the price, specifications of the phone being launched and the company’s marketing strategy. Becoming a target of industrial espionage through spear phishing ends up costing Emily, and her company, a lot in the next quarter.

Here are some of the consequences:

  • Financial loss - loss of sales as competitors release a better phone for the same price point.

  • Data breaches and theft - the company fires its IT security team after an initial investigation revealed that Emily used the same password over the past year. 

  • Reputational damage to individuals and organizations - Emily’s competitors leak the news about hackers accessing sensitive company information.

How to Protect Yourself from Both Types of Phishing Attacks

Every setback provides an opportunity.

Companies like the one run by Emily can ensure that such breaches don’t succeed in the future. To improve your security readiness, organizations should invest in:

How to avoid spear phishing

Conclusion

McKinsey notes that the number of spear phishing attacks increased nearly sevenfold following the start of the pandemic, highlighting the evolving sophistication and persistence of cyber criminals. According to IBM’s Cost of a Data Breach 2022 report, phishing was the second most common cause of data breaches during that year. The report also found that while phishing attacks had the highest average cost per breach at $4.91 million, the costs of spear phishing attacks can significantly exceed even that amount. In one high-profile attack, spear phishers stole more than $100 million from Facebook and Google by posing as legitimate vendors and tricking employees into paying fraudulent invoices.

Given these escalating threats, it is clear that vigilance and staying informed are essential components of an effective defense against spear phishing. By combining technical safeguards, employee education, and a strong cybersecurity culture, we can fortify our digital landscape and safeguard against the insidious dangers of phishing and spear phishing.

Feel like you're adequately familiar with this particular phishing tactic? Take our spear phishing quiz to find out.

Samir Yawar
Samir Yawar / Content Lead
Samir wants a world where people can instinctively whack online scams and feel accomplished without the need for psychic powers. As an ISC2 member, he is doing his bit to turn cybersecurity awareness training into a fun concept with simple, approachable and accessible content. Reach out to him at X @yawarsamir
FAQsFrequently Asked Questions
Spear phishing and phishing are both types of cyber attacks, but they differ in their targeting and approach. Spear phishing involves highly targeted attacks on specific individuals or organizations, whereas phishing is a more widespread attack that targets a larger number of people.
Spear phishing attacks involve personalized messages that are carefully crafted to deceive specific targets. The attackers often gather personal information to make the messages appear legitimate. Phishing attacks, on the other hand, use generic messages sent to a large number of people, often impersonating well-known companies or institutions to trick victims into revealing sensitive information.
Falling victim to spear phishing or phishing can have severe consequences. It can result in financial losses, data breaches, identity theft, and reputational damage. Attackers may gain access to sensitive information, such as passwords or credit card details, and misuse them for their own gain or sell them on the dark web.
To protect against spear phishing and phishing attacks, it is important to educate employees about the risks, encourage them to be cautious with email communications, and provide regular training on identifying suspicious messages. Implementing strong security measures, such as multi-factor authentication, robust firewalls, and advanced email filtering, can also help mitigate the risks.
There are several best practices to prevent spear phishing and phishing attacks. These include being cautious of unsolicited emails and avoiding clicking on suspicious links or downloading attachments from unknown sources. Verifying the authenticity of emails or requests by contacting the supposed sender directly using a verified contact method is also crucial. Regularly updating software and using reliable antivirus programs can further enhance protection against these types of attacks.