Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.
Spear phishing is a phishing attack that targets a specific, named person. It’s a more sophisticated form of the traditional “spray-and-pray” phishing attack. But, just like non-targeted phishing, a spear phishing attack plays on the target's trust, exploits weak security practices, and can cost a business millions of dollars.
This article will look at the different types of spear phishing, explain how a spear phishing attack works, and explore how common spear phishing is.
If you’d rather learn more about phishing, check out this article: Phishing 101: What is Phishing?
Spear phishing attacks vary according to technique, target, and goal. But, here are some types of cyberattacks that involve spear phishing:
Here are some cyberattacks that usually involve spear phishing:
Whenever these attacks are targeted at a specific person, they’re considered a spear phishing attack. If the attack isn’t targeted at an individual, we just call it a “phishing attack.”
Struggling to understand the difference? We explain it – in detail – in this article: Phishing vs Spear Phishing: Differences and Defense Strategies.
Most spear phishing attacks arrive via email. In fact, email is the medium of choice for around 96% of phishing attacks. However, cybercriminals also launch phishing attacks via social media, SMS (“smishing”), and phone or VoIP (“vishing”).
But, let’s stay focused and look at a couple of examples of spear phishing attacks. This will help you understand how this type of cybercrime works.
First, the all-too-common “delivery service” spear phishing attack. According to Check Point, shipping company DHL was the second-most impersonated brand in spear phishing attacks throughout Q4, 2020. Here’s how a spear phishing email impersonating DHL might look:
There are a few things to note about this spear phishing email:
But don’t be fooled:
The DHL-style scam is a simple but effective form of spear phishing that typically targets individuals.
Wondering what other brands are frequently impersonated? Check out this article (+ infographic!): Phishing Statistics (Updated 2021). Spoiler: LinkedIn, Amazon, IKEA, and Google almost made the top 10.
Let’s look at a more sophisticated example of spear phishing that targets a business instead of a consumer:
There are some similarities between this email and the DHL scam:
But these factors make our second example more persuasive:
Spear phishing is becoming more refined and advanced all the time, so it’s easy to see why people keep falling for it.
If you want help spotting a potential spear phishing attack, we’ve rounded up four red flags here. If you’re a security or business leader, this is a great resource to share with your employees that complements security awareness training.
Rates of spear phishing have been climbing consistently over the past decade. Research suggests, in 2019:
Note that these statistics refer to the period before the big migration to remote-working in 2020. There’s evidence that, as employees have moved into less secure working environments, cybercrime has increased considerably.
Microsoft’s 2021 New Future of Work report found that:
So, what’s the upshot of all this? Spear phishing damages people’s privacy, exposes confidential data, and causes major financial losses.
Want to know how to protect your business against this serious type of cybercrime? Read our article on how to prevent phishing to find out.