What is spear phishing? Examples, tactics, and techniques

This news article was originally published on April 11, 2022. It was updated on May 24, 2024.

Spear phishing definition

Spear phishing is a direct, targeted email attack aimed at specific individuals that appears to come from a trusted sender.

In spear phishing, attackers often use information gleaned from research to put the recipient at ease. The ultimate aim is to either infect devices with malware by convincing the recipient to click a link or download an attachment, or to trick the recipient into taking some other action that will benefit the attacker, usually handing over information or money.

Spear phishing messages are crafted with care using social engineering techniques and are difficult to defend against with technical means alone. And they’re ruthlessly efficient. Although Spear phishing emails make up less than 0.1% of all emails sent, or five emails a day for a typical organization, they are responsible for 66% of all breaches, according to Barracuda’s 2023 Spear-Phishing Trends report. By contrast, regular phishing emails comprise 16% of all emails sent, but are responsible for just one-third of breaches.

“What’s important to note about spear phishing is that the individual being spear phished isn’t often the real target,” J.R. Cunningham, CSO at Nuspire, a Michigan based MSSP. “Rather, their corporate environment is most likely the attacker’s ultimate end goal.”

Phishing vs. spear phishing vs. whaling

Phishing, spear phishing, and whaling are all types of email attacks, with phishing being a broader category of cyberattack that encompasses just about any use of email or other electronic messaging to trick people, and spear phishing and whaling being just two of a handful of different types of phishing attacks.

Most phishing attacks take the form of generic messages sent automatically to thousands of recipients. They’re written to be somewhat tempting—the attachment might have a name like “salary report,” or the link might be a fake lottery winning site—but no attempt is made to match the message content to any particular person who might be receiving it. The name derives from “fishing” (with the “ph” being part of the tradition of whimsical hacker spelling), and the analogy is of an angler throwing out a baited hook (the phishing email) and hoping some victim will swim along and bite.

Spear phishing, as the name implies, involves attempting to catch a specific fish. A spear phishing email includes information specific to the recipient to convince them to take the action the attacker wants them to take. This starts with the recipient’s name and may include information about their job or personal life that the attackers can glean from various sources.

Whaling is a kind of spear phishing, specifically one that goes after really big fish—think CEOs, board members, celebrities, politicians, etc.

How spear phishing attacks work

Spear phishing attacks don’t just happen out of the blue. Here’s a look at the discrete steps in a typical spear phishing attack.

Infiltration. Like most attacks, spear phishing often starts with compromising an email or messaging system through other means—via ordinary phishing, for instance, or through a vulnerability in the email infrastructure. Once inside the system, an attacker can move to the next step: reconnaissance.

Reconnaissance. How attackers get the personal information they need in order to craft their email is a critical spear phishing technique, as the entire process of the attack depends on the messages being believable to the recipient.

Having gained access to the system, the attacker “sits in the network for a while to monitor and track interesting conversations,” explains Ori Arbel, CTO of CYREBRO, a Tel Aviv-based security operations platform provider. “When the time is right, they email the target using a believable context with insider information, such as bringing up past conversations or referencing specific amounts for a previous money transfer.”

If they can’t hack their way into the communications system, an attacker could also turn to open source intelligence (OSINT), scouring social media or corporate communications to form a picture of their target.

Exploitation. In this stage, attackers use the information they’ve gathered to launch a targeted attack. Since the email is coming from a legitimate (albeit compromised) account, the emails appear totally legitimate, and the reconnaissance allows the attacker to perfect mimic the senders’ signature and text style.

Jorge Rey, cybersecurity and compliance principal at Kaufman Rossin, a Miami-based advisory firm, explains a common attack vector he’s seen. “When people make a change to their LinkedIn and identify that they’ve joined Kaufman Rossin, in a matter of hours or even minutes they’ll get an email from our CEO—not from his Kaufman Rossin email, but something at gmail.com—asking them to buy gift cards and things like that.” Of course, this email isn’t coming from the CEO at all, but rather an attacker who’s hoping to catch a new employee off guard. “All of these bots are monitoring LinkedIn, monitoring everything through scripts, and sending information hoping someone will fall for it,” he explains.

If attackers can glean personal information from your online presence, they’ll try to use that to their advantage as well. Nuspire’s Cunningham gives an example of a security-savvy client who nevertheless almost got snared by spear phishing. “They got an email supposedly from their insurance company informing them they had an update on their auto insurance claim and clicked on the link, only to realize right away it was a phishing attack,” he says. “As it turns out, this individual had recently been in a car accident and had published pictures of the wreck on social media, along with a comment that their insurance provider (whom they named) was very quick to respond to the claim. This gave the attacker information about the victim’s insurance provider, which was used to craft the spear phish.”

Cybersecurity company Proofpoint outlines an expanded set of stages, but the important thing to take away is that these are complex, highly targeted, multi-stage attacks, and like all cyberattacks they are constantly evolving.

Signs of spear phishing

Spear phishing can be especially hard to detect because the messages are so tailored to you and your organization—assuming the attackers have done the work to make the email sufficiently believable. But here are a couple of key things to look out for:

• It will ask you to do something unusual or outside corporate channels. After all, that’s the only way to part you from your (or your company’s) money. New employees might have a hard time realizing requests are out of the ordinary, but to the extent that you can, you should listen to your gut.
• It conveys urgency. Yes, in a professional environment we often get legitimate requests to act quickly; but when someone tries to make you rush, that’s a sign they’re not giving you a chance to stop and think.

Spear phishing example

This example was shared with KnowBe4’s Roger Grimes, a former CSO columnist. It was sent to the recipient by name and appeared to come from his email service provider. It has been modified to remove vendor names, graphics, and links, but clearly shows how skillful attackers have become at crafting their messages for maximum impact.

Dear Valued Customer,

We are pleased to announce the go-live date for a new Data Center, scheduled to go live on April 19, 2010.

Please update your firewall rules to allow SMTP traffic on port 25 from the following IP address ranges:xxx.xxx.xxx.xxx/xx (xxx.xxx.xxx.xxx – xxx.xxx.xxx.xxx)xx.xxx.xxx.xx/xx (xx.xxx.xxx.xx – xx.xxx.xxx.xxx)

If you have settings on your e-mail server which control the IPs which are allowed to connect for e-mail relay please confirm that those settings are updated as well.

We will be able to test and verify connections one week prior to April 19, 2010. Additionally, we will be proactively running connection tests prior to the launch on behalf of all customers, and contacting you directly if we are unable to connect to any of your domains from ALL specified IP addresses for that domain.

Prior to the launch of the new IP addresses, we recommend that you set up and configure the Deferral Notification alerting feature for your domains using the Deferral Notification option on the Domain properties page in the Admin Center. The Deferral Notification alert feature sends a message to you when a customized threshold has been met or exceeded for deferred e-mail in your domain. After the new IP addresses are launched, this feature will help to ensure that e-mail sent to your domains is not deferred because of unsuccessful connection attempts to your network, and that you alerted in the event that e-mail is being deferred beyond your acceptable limits. For more information on how to set up the Deferral Notification alert feature, see the Admin Center Guide in the Resource Center.

Please refer to the Configuration subtab of the Administration Center for a complete list of IPs which should be allowed to connect to your environment at any time.

See more on how fraudsters hone their spear phishing attacks.

Types of spear phishing attacks

In its 2023 Spear-Phishing Trends report, Barracuda breaks down spear phishing attacks into 5 main types, listed here in order of prevalence:

• Scamming (47%) – As the name implies, scamming attacks use deceptive tactics to trick victims, often into divulging sensitive information or paying money. A recent VISA report found that 15% of US adults have been targeted by inheritance scams, which appeared to come from legitimate sources.
• Brand impersonation (42%) – Brand impersonation attacks, also called website spoofing, trick users into thinking they are interacting with known, trusted brands—like social media sites, banks, and well-known tech brands.
• BEC (8%) – Business email compromise (BEC) attacks, also known as CEO fraud, is when a phishing email is crafted to look like it’s coming from a CEO or other high-profile person in an organization, someone with authority. An oft-cited example is an email appearing to come from the CEO or CFO sending an urgent request to wire money.
• Extortion (3%) – An extortion attack is one that relies on threats to intimidate victims into taking a desired action. This includes something like sextortion, where victims are threatened with the release of compromising photos or videos, but it could also be someone purporting to be an IRS agent who threatens arrest if overdue taxes aren’t paid.
• Conversation hijacking (0.3%) – Often used in conjunction with account takeovers, a conversation hijacking attack uses compromised emails to launch attacks. The attacker inserts themselves into a conversation thread, often between coworkers, and then uses the typical phishing tactics to get the victim to download an attachment or click a link.

How to prevent spear phishing

There are some technical measures that can help stop spear phishing attacks, like turning on two-factor authentication, protecting your email infrastructure with DMARC, SPF, and DKIM, and using anti-phishing tools and services. But the best defense against social engineering attacks like spear phishing is human intelligence, and that requires training that keeps users on their toes.

“A phishing simulation makes a big difference,” says Kaufman Rossin’s Rey. “It’s one thing to go to a PowerPoint and show you a phishing email. It’s another thing to get something in the mail, you click on it, and then you’re being sent to the training. We’ve seen that people do get better at recognizing attacks, because people hate the sensation of clicking on a link and getting a message that says, ‘You’ve been phished.’ It’s much more powerful than a yearly compliance training.” As we hope this article has made clear, it’s better to be embarrassed as part of an unannounced simulation that to fall prey to the real thing.

Tips to prevent spear phishing attacks

1. Be skeptical. Ask yourself: Who is this email from? If the sender is purporting to be your CEO, pay particularly close attention to the request being made, the language being used, and any other signs that the send isn’t who they claim to be.
2. Don’t click on attachments. If you open the email and are prompted to download images or attachments, be especially wary. Malware is often delivered by email attachments. The best policy here is to only open attachments that you were expecting to receive or are able to verify with the sender.
3. Ignore requests for action. If the email is urging you to do something, stop and think before you act. Messages telling you to claim a prize are an old, effective trick. The old adage, “if it’s too good to be true, it probably is,” applies here. Spear phishers also play into our desire to be helpful. If your CEO doesn’t normally ask you to wire money, it’s unlikely that they’ll start doing so in a random email message. But sometimes the actions are more innocuous. It could be IT telling you your computer is infected and they need to take control of your machine, for example. The best thing you can do is independently verify any request for action.
4. Don’t click links. Almost all phishing emails either have an attachment they want you to download or a link they want you to click. The easiest way to find out if a link is legit is to hover your mouse over the link to reveal the url. If you don’t recognize the url, don’t click. And, if the link shows as an IP address (example :192.168.1.1), that is most likely not a place that you want to go.
5. Use the phone. When in doubt, go straight to the source. Look up the phone number yourself (don’t use one provided in the email.) If the request is legitimate and truly urgent, the CEO will answer your call. If not, well, you just saved your company a huge headache.

To read the full article, please visit CSO Online.