What is spear phishing

What is spear phishing? To sum it up in one sentence, it is a targeted e-mail fraud attempt that seeks out unauthorized access to confidential information from a targeted individual or organization. Spear phishing differs from regular “phishing,” with which many of us are familiar, in that it isn’t some random dude behind a computer attempting to get as much information from as many people as possible by posing as a large corporation.


It is very much on point, very target orientated, and has a specific goal in mind, such as trade secrets, military information, or financial gain. Why is spear phishing dangerous? Because we’re geared to know not to share our own confidential information, like our bank account numbers, with anyone. We’re not so geared to be suspicious of an e-mail request from a network administrator asking us to log into a website to verify a report.


According to Secure Business Intelligence Magazine, Aaron Ferguson, who is a visiting professor at West Point, showed proof-of-concept evidence of spear phishing recently by sending out an e-mail to 400 cadets posing as a colonel. In this e-mail, he instructed the cadets to click on a link to find out what their final grades were for the classes they were enrolled in and almost 80% of the cadets clicked on the link. Ferguson said that with subsequent efforts that the CTR went down, but the point was made: a realistic looking e-mail with a realistic looking link is all it takes to convince a majority of people that they aren’t being duped into handing out something they shouldn’t or installing something on their computer they shouldn’t.


Take the example of a network admin asking the employees of an agency to log into a website they created that mirrors the company’s intranet so they can verify some sort of information. It literally only takes 1 employee to be duped into believing this is a real issue that they must address for the identity thief to gain their log-in credentials, pose as that employee on the company network, and use social engineering tools to accomplish their specified goals. What’s worse, most company firewalls are not setup to prevent this kind of attack from occurring, nor can they be with current technologies.

Read more about common phishing scams to avoid

What Can You Do?


A majority of spear phishing e-mails end up in your inbox on Fridays or Mondays. How come? Because that’s when identity thieves have recognized that you’re the most likely to be duped into believing their e-mail is a real e-mail. On Mondays, many people are focused on the fact that they don’t like the weekend being over and on Fridays people are ready to get out of the office and go home. That means the first thing you can do is be aware of your mental state and not open anything if you’d rather be somewhere else besides in front of your work computer.


Secondly, it is important to verify anything suspicious. If it is unusual for a network admin to contact you, give the IT Department of your company a quick call and ask them what’s going on. It is always better to be safe than sorry, and an IT professional isn’t going to mind the fact that you verified a legitimate e-mail. They’ll really love you if it turns out to be a spear phishing attempt, because then they can send a counter e-mail to all the staff warning of the danger.


Thirdly, always look at the website address itself. Your intranet will have a specific address, and it will often be on a specific internal drive, like an F:/ drive. A spear phishing attempt will generally put you onto the internet instead of the intranet, and this will give you a web address. If anything looks different than normal, close the site and report the issue immediately.


Finally, even though spear phishing attempts account for just an estimated 0.4% of all e-mail generated every day, it is good these days to be suspicious of everything that shows up that goes outside of what your normal daily activities happen to be. When in doubt, just delete. If it’s something that needs to be done, someone will give you a call and ask if you got the e-mail.


Spear phishing is a serious problem because it targets individuals with a specific goal in mind. By verifying everything that comes your way, you’ll be able to combat a spear phishing attempt when it shows up in your inbox. It’s not just about being careful with your data any more – it’s about being careful with anything that personally identifies you in any way. It only takes one slip up on one spear phishing attempt for a lot of trouble to be caused, and it doesn’t have to be you that slips up to have your data compromised. Educate those with whom you work, because otherwise, everyone is at risk.