Spear-phishing attacks are carried out over a standard channel: email. They are like usual emails. The body may have a link or an attachment. The big objective: to influence you to share some about yourself– to be specific, your personally identifiable information (PII).
Spear phishing is deliberate. The phishers did their investigation, normally through social engineering. They may already know your name, your hometown, your workplace–information easily obtained from social media. That piece of personalized information makes the email more credible.
Spear-phishing emails can be successful simply because they’re believable. People pay attention to only 3% of their spam, but 70% of spear-phishing emails. A 10-email phishing campaign has a 90% chance of capturing the target with a clicked link or an opened attachment.
Unless you recognize a spear-phishing attack, you may never know you are losing information until it’s too late. By homing in on a specific person, cyber attackers can eventually access critical data, whether directly or indirectly, such as computer passwords, work credentials bank accounts, etc. Spear phishing is only a step to a larger, more serious attack.
Everyone can be at the center of a spear-phishing attack, whether they click on an unsolicited survey response by mistake or are swindled by a fabricated alert from their bank. Although an attacker may not want your data in particular, you can be their key to a secure computer system that may store the PII of people they are interested in, or or crucial data, like financials. In that context, we are all crucial to the safety of our own PII, as well as of the business systems we are involved in. If you work in the finance industry, you have access to sensitive company data. If you work in sales, you have access to customer and lead databases. Everybody has help to give a phisher. There is always something that they can use you for.
They are created for a specific individual, in most cases by a specific group. A lot of publicly documented advanced persistent threat (APT) attack groups, make use of spear phishing.
Stopping Spear-Phishing Attacks
First off, security departments have to train users to recognize them and to report any suspicious email they receives–it is vital for every employee to recognize that with their roles, they are given access to precious data. Second, security teams have to implement, maintain and update their security technology and processes to detect and respond accordingly to spear-phishing threats in any and all forms it may evolve into. Lastly, these teams must always be a few steps ahead of attackers through updated threat intelligence and expertise to address their needs.