What is Spear Phishing?

July 15, 2022

Each day, a spear phishing campaign results in yet another data breach, money transfer fraud or other damaging incident for an unfortunate business. Learning more about how spear phishing works and key indicators of a spear phishing attack can help organizations better protect themselves against this devastating vector of attack.  

What is spear phishing?  

Spear phishing is a form of phishing attack that uses very specific information to send sophisticated malicious emails to individuals or organizations. It is a deliberate attempt by threat actors to steal sensitive information, such as account passwords or financial information, from a specific victim. Actors use social engineering techniques to obtain personal information about the victim, such as their friends, birthplace, employer, frequently visited places and recent internet purchases to foster authenticity in their lures by pretending to be somebody the target knows and trusts. 

Spear phishing vs. phishing  

Phishing is a general term for any attempt to deceive a target into taking an action that gives the bad guys something that they want, like persuading someone to click on a malicious link, provide sensitive information or download a malware-laden file. Generic phishing attacks cast a wide net in an attempt to capture the largest number of victims possible. 

In spear phishing, quality is prioritized over quantity. Spear phishing attacks typically have very narrow targeting, designed to appeal to a specific small group of targets or even just one person. The messages are personalized to directly address the victim, seemingly originating from a recognizable and trustworthy source. Because of the sophistication of the messages, it can be very challenging to recognize spear phishing attacks.  

Spear phishing vs. whaling  

Whaling attacks involve spear phishing, but they’re much more specialized. Whaling attacks are personalized to trick individual executives or privileged people inside an organization, like someone who can authorize payments. Whaling is commonly used to obtain money, information or access credentials from a specific person at a specific business.  

How is spear phishing done?

It is crucial to know how spear phishing attacks work in order to prevent them. Let’s look at the different stages of a spear phishing attack.  

Choosing the target and the point of contact 

The operation kicks off with some planning. Bad actors determine their goals, their targets, and the best way to reach them, usually through a business email address. 

Creation of a company with legitimate-looking IP addresses for email domains  

The sender’s email address is one of the most obvious signs of a phishing email. Faux authenticity is a hallmark of spear phishing, starting with establishing a legitimate-looking “company” IP address and email domain from which to send the spear phishing message.  

Gather detailed personal information about the target  

The more personal an email is, the more likely the attack will be successful. Attackers will use the dark web and the surface web to gather information about their targets to build authenticity in their malicious messages through careful personalization. 

Increase the urgency of messaging  

The bad actors then use psychology techniques like social engineering to create a compelling lure. Making the victim feel rushed is an efficient way to convince them to act on something — in this case, clicking on a malicious link or downloading a bad file. Spear phishing emails often utilize words like “immediately” and “ASAP” to generate a sense of urgency. Bad actors may also masquerade as a government agency or major corporation to boost the perceived importance of their messages. 

What are indicators of spear phishing?  

Spear phishing messages are highly sophisticated. Unfortunately, 97% of employees are unable to detect a sophisticated malicious message. These red flags may indicate spear phishing. 

Weird requests  

One way to spot a spear phishing message is to be on the lookout for messages that make unusual requests, especially if that request violates a company policy. For example, a target may receive an unexpected message from the “security team” requesting them to provide their password via email, but the target knows that their company has a security policy that prevents that, it’s likely a spear phishing message. 

Unfamiliar tone  

Take note of the message’s tone and overall look, and ensure it matches earlier emails from the same source. For instance, look for unusual spelling errors or check whether it is abnormally formal or overly familiar. If the style and tone seems odd, it’s a good idea to contact the sender in another way to make sure it’s legitimate 

A mysterious firm  

If a company sends you an email about a business matter and you’ve never done business with the company before, it’s a dead giveaway that it’s a spear phishing effort. Avoid clicking on any links or attachments this email may contain and proceed with caution.  

How common is spear phishing?  

Unfortunately, it’s spear phishing is a favorite technique of bad actors. About 65% of threat actors use spear phishing as their main infection channel for targeted attacks. It’s a top vector for attacks like ransomware and business email compromise.  

Why is spear phishing so effective?  

The combination of careful personalization, fake authenticity and implied urgency is a recipe for effective social engineering, making spear phishing lures very hard to resist. The open rate for spear phishing emails is about 70%. Even worse, 50% of recipients who open spear phishing messages click on a malicious link inside. Here are some of the reasons why spear phishing is so effective:  

What is an example of spear phishing?  

Spear phishing attacks are dangerous for businesses. Here are some prominent spear phishing attacks and how they unfolded.  

Spear phishing at Google and Facebook  

A group of cybercriminals allegedly helmed by hacker Evaldas Rimasauskas launched a business email compromise (BEC) attack against Google and Facebook that was conducted through spear phishing. The bad actors created a fraudulent corporation with a similar name to a major technology components provider that both companies were likely to have a business relationship with as well as opening bank accounts in the name of the faux firm. The fake corporation then used spear phishing to deliver fake invoices to both companies. That two tech titans were defrauded of nearly $100 million in this scam between 2013 and 2015.  

Russia aims at Ukraine with spear phishing  

Microsoft issued a warning in February 2022 about a new spear phishing campaign by a Russian hacker gang targeting the Ukrainian government and non-governmental organizations. Since 2021, the Gamaredon group, also called ACTINIUM, has purportedly targeted “organizations critical to emergency response and the security of Ukrainian land.”  

Microsoft 365 user credentials were stolen  

Security researchers discovered a spear phishing campaign in April 2021 that duped the victims into downloading malicious malware on their devices. A blank email with the subject “pricing modification” was sent to the targets. The email included what seemed to be an Excel spreadsheet file as an attachment (.xlsx). However, what appeared to be a spreadsheet turned out be a malicious HTML file instead, infecting their devices with malware. 

How can spear phishing be prevented?  

Every business must reduce its exposure to phishing-based cyberattacks and increase its cyber resilience to prevent spear phishing trouble. Following these best practices will help you protect your organization against spear phishing:   

  • Foster a strong, healthy security culture  
  • Make sure your software and systems are patched regularly  
  • Conduct regular security awareness training  
  • Run frequent phishing simulations 
  • Enable two-factor or multifactor authentication  
  • Make cybersecurity a company focus  
  • Teach employees to never disclose passwords   

Prevent Spear Phishing Attacks with Graphus  

Graphus’ AI-powered email security is a powerful defense against spear phishing threats. Compared to built-in email protection or a SEG, automated, API-based email security solutions like Graphus prevent 40% more spear phishing messages from reaching an employee’s inbox. Here’s how: 

TrustGraph is a powerful shield between employee inboxes and malicious messages. This proprietary technology uses more than 50 distinct data points to discover sophisticated phishing messages, even zero-day attacks.  

EmployeeShield displays a bright, prominent box on suspicious messages, reminding them to be cautious. Employees can designate a message as genuine or malicious with a single click.  

Phish911 makes it simple for employees to report any message that they don’t think is safe. When an employee reports a potentially malicious email, the message is immediately removed from everyone’s inboxes.   

Learn more about Graphus.


Explore today’s biggest threats & what’s next in The State of Email Security 2022 GET IT>>


Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus