What is Spear Phishing? | SentinelOne

What is Spear Phishing?


What’s the weakest link in your company’s security?

It’s not your WiFi, or your employee’s laptops, or even their cell phones. In fact, it’s the employees themselves. Criminals know this, which is why phishing is responsible for about 90% of all data breaches.

While most companies have implemented policies to protect against phishing, spear phishing is another problem altogether. What is spear phishing? For starters, it’s even harder to spot than regular phishing because it incorporates personal information into the attack.

Your employees may not be able to see the difference between a standard email from a colleague or vendor and a sophisticated spear phishing attack. In the article below, you can learn what spear phishing is, how it can harm your company, and what you can do to protect your employees from attacks.


What Is Spear Phishing?

To understand spear phishing, you must first understand how it differs from regular phishing. Phishing casts a wide net. It’s an unsophisticated attack that can come in the form of a disguised login page or an email from an unknown sender.

Phishing is designed to do one of two things; extract personal information from people or install malware on someone’s device. Criminals then use sensitive information to steal identities or access bank accounts. If the phishing is part of a malware attack, the criminals can use the malware to hold files at ransom.

Phishing attacks are generally designed to reach thousands of people in the hopes that a few of those people will make the mistake of giving out personal information or downloading unknown files. When you compare spear phishing vs phishing, you see that spear phishing is specifically designed to target certain individuals.

Spear phishing is a more sophisticated, coordinated form of phishing. It’s called spear phishing because it uses familiar, personalized information to infiltrate a business through one person. The email might come from a name that you’re familiar with, or it might reference your place of business.

Spear Phishing Examples

Let’s say you’ve recently purchased a few items from Amazon, and then received an email from what looks like Amazon’s customer service team, asking about your recent purchase. There’s a link which takes you to a legitimate looking login page, but it’s not, and when you put in your credentials, you’re not logging into your Amazon account, you’re actually giving away your username and password to the scammer. Another example: You receive an email from your office manager asking you to confirm your corporate credit card number. Perhaps you just booked a trip and you receive an email that looks like it is from the airline, everything looks normal, but you notice an unrecognized email attachment.


Spear Phishing vs. Phishing vs. Whaling

What is Phishing?

Phishing is the general practice of casting a “lure” (quantity over quality) to set a hook in unsuspecting victims in order to gain valuable personal information directly from victims. In order to fly under the radar, phishing attacks will be camouflaged through legitimate looking emails, but really have messages with malware embedded that are undetectable without close inspection. Phishing attacks can also be emails with attachments that automatically deploy whenever a message is loaded. A well-known phishing use case would be a mass mailing attack deployed across an organization’s entire employee database in the hopes that one or two offending messages sneak through. Common phishing attacks include faked invoices, emails containing links to “verify” information, or even dummy shipping notifications.

What is Spear Phishing?

While phishing attacks began as a relatively unsophisticated collection of methods to compromise a company’s tech stack or create “brute force” entry points to gaining access to systems and critical data, approaches have evolved to focus on individuals. These scenarios targeting pre-identified individuals are known as spear phishing attacks. In a spear phishing attack, attackers will do research on individuals online and attempt to utilize what they learn to establish credibility and minimize suspicion. Old school phishing techniques are still employed but with the added element of personalization, these attacks are highly effective against individuals and businesses.

What is Whaling?

Building on the evolution of phishing and spear phishing, an additional type of attack has emerged in recent years: Whaling. Whaling is similar to spear phishing in that these attacks target specific individuals, but whaling attacks focus only on the most valuable targets: CEOs, CTOs, and other corporate leaders with a high level of access to the business’ most valuable information. Since the return on compromising these individuals is so high, attackers spend significantly more time on researching victims and developing strategies for a higher success rate.

How do they differ from Spear Phishing?

The major difference between phishing, spear phishing, and whaling is the amount of effort attackers will put into developing and deploying their attacks. This decision to dive deeper on certain individuals is typically  based on the perceived return of a successful attack. While phishing attacks are deployed relatively quick across a wide range of people, the upside potential is limited unless the right person in your organization does the wrong thing. Spear phishing seeks to design a better “lure” to try and hook the right people, with the right message. Taken even further, individuals who have the greatest access to information present the largest potential gain for criminals. As a result, a great deal of time and effort is put into compromising a single person. The greater the upside, the more time attackers will spend to create a compelling attack.


Why Is Spear Phishing Hard to Identify? 

Spear phishing is difficult to detect because it utilizes the weakest link in the attack flow – us, humans. By collecting publicly available information, attacks can craft relevant emails that would look timely and appropriate, and therefore, to fool users into clicking on fake emails.

Great efforts are taken to identify weak points within organizations and create effective ways of prying them open. Personal information that people believe to be known only-to-themself is an extremely productive approach to getting employees and executives to let their guard down and hurriedly click a link, or respond to an “urgent message.”


How a Spear Phishing Attack Works

Stage 1: Information Gathering (Bait)

Unfortunately, it’s easier than ever for criminals to find out personal information online. As social media continues to gain popularity, spear phishing has become more sophisticated and targeted.

Your LinkedIn shows your place of work and a list of your co-workers. Anyone with a LinkedIn account can access this information. Lead generation platforms make it easy for anyone to find the email address and phone number you use for work.

Stage 2: The Request (Hook) 

Once the attacker has acquired the necessary information on their target, they can use it as bait to get him/her to perform the action (clicking a link, downloading a file) that releases the malware/ransomware onto the machine.

One common tactic used by criminals involves fake invoices. A criminal will send an email or make a phone call and mention that there’s a problem with an invoice. They’ll ask the victim to add the correct information to a digital invoice. Of course, the digital invoice isn’t real, but once the criminal has the invoice payment information they can begin stealing money.

Oftentimes, spear phishing attacks will target a company’s top executives. This is why it’s so important to have spear phishing protection training for every member of the company, from the entry-level salesperson to the CEO. Criminals like to target higher-ups because executives often have the power to pass along credit card information and/or payroll information.

Stage 3: The Attack (Catch)

If the attacker’s bait and hook work, then they’re ready for stage 3 – access the victim’s computer and its data. Once an attacker has compromised your data security perimeter, they will begin collecting their bounty – in the context of enterprises, attackers want sensitive data and information. The most sophisticated attacks actually see compromised data as the greatest reward to be sold to the highest bidder – think financial services and politics. These attacks will remain in effect long enough to cause lasting damage.


How Can Employees Identify Spear Phishing Attacks?

You can train your employees to look for certain things in an email to be sure it’s not a phishing attack. First, they should always check the actual email address of the sender, not just the sender’s name which can be spoofed.

Additionally, your employees should always hover over links in emails before clicking on them. If the email is asking your employee to download a file, they should be especially cautious. Sophisticated spear phishing attacks sometimes put files on reputable websites like Dropbox, but that doesn’t mean the file is safe to download.

The best course of action for most suspicious emails is to simply call the number in the email signature. If a criminal is pretending to be one of the employee’s co-workers, this phone call will expose the lie. While this can be an annoying extra step for employees to go through, it can save your company in the long run.


How Can You Protect Your Company From Spear Phishing?

Unlike phishing emails, spear phishing emails are generally well-written, free from spelling errors, and appear genuine.

The best way to defend your business against spear phishing attacks is to use data protection technology. XDR technology is a good place to start. Extended Detection and Response is a proactive approach that actively monitors every layer of your network to catch malware before it does any damage.

The most important thing is that you’re able to monitor every device on every layer of your network. Without this kind of all-encompassing protection, you leave your business vulnerable to spear phishing attacks.

Are You Safe From Spear Phishing Attacks?

As more information becomes publicly available, more businesses become vulnerable to spear phishing attacks. Criminals can find your employee’s information online with ease, and they’ll use it to their advantage. While no defense system can be 100% successful in fending off phishing attacks, the better cybersecurity protection gives you a chance at keeping your entire organization safe.

To learn more about XDR and how you can keep your enterprise safe from spear phishing, get in touch with the team at SentinelOne today for a free demo.

Schedule A Demo
SentinelOne encompasses AI-powered prevention, detection, response and hunting.