Spear Phishing vs Phishing + How to Avoid Both

June 8, 2018


You receive an email from your bank. They’ve emailed you before, so you’re not suspicious. You open the email and read that you need to take immediate action, so your account isn’t closed. You hastily click the link provided in the email and put your information into the portal, so you can ensure your account isn’t closed.

You’ve just been the victim of a phishing attack.

If you listen to the news, browse social media, or receive our client newsletters, you know cyber security threats are everywhere. For cyber criminals, there’s a lot of money in tricking people like you and companies like yours. But, with so many cyber security terms out there, it can be hard to know what’s what, which can make it harder to know what you should keep a look out for.

We find that to be especially true with phishing attacks. There are a lot of similarities between spear phishing attacks and phishing attacks, and they are some of the most common cyber incidents. Knowing difference between spear phishing and phishing is important to understand so you can stay vigilant and not fall victim to any cyber attack.

Below you can read more about the similarities and differences between phishing and spear phishing. We have also included six tips to help you avoid both.

What is Phishing?

Phishing is a broad term that encompasses malicious communications, especially email. Phishing emails attempt to access personal, and often confidential, information by preying on victims’ weaknesses, which can include software and security weaknesses or insufficient user training in cyber security.

These cyber attacks are typically sent in mass because the more people they reach, the more likely it is that someone will fall victim. Phishing attacks will target these thousands or millions of people no matter where they live or work.

Something common across all phishing attacks is that the communication will appear to come from a trusted source, be it a friend or a well-known company. If from a company, these emails will use their logo, use their color scheme, and look legitimate overall.

Phishing attacks often lure individuals to click on a malicious link or open a malicious attachment. Once clicked, the cyber criminal will attempt to infect the device or even take control over the device to harvest sensitive information. From there, they can make illegal purchases, commit fraud, or even steal your identity.

What is Spear Phishing?

Spear phishing is a form of phishing that makes a more targeted attempt at stealing information. The cyber criminal behind a spear phishing attack will acquire personal information about your friends, your hometown, places you frequent, your employer, things you recently purchased, and more.

Once they have this information, they craft a targeted email (or text) with some of the details mentioned above to gain your confidence that they are, in fact, a trusted source, such as a friend or a company you made a recent purchase from.

Spear phishing’s end goal is the same as a phishing attempt – acquire confidential information for malicious purposes.

The individualized message is what sets spear phishing apart.

Before they craft the message, the cyber criminal takes the time to research your personal Facebook, Twitter, LinkedIn, and Instagram. Creating very personalize messages increases the “success rate” for cyber criminals, and it works. According to Trend Micro, 91% of cyber attacks that result in a data breach begin with a phishing attack.

With the way people handle their personal information on social media, it’s easy for these cyber criminals to create messages that are highly personal. They gain your trust this way and you fall victim. Other times they want you to download malware or open attachments that allow them into protected parts of your computer.

Often times, these messages will contain a sense of urgency.

They may pose as a platform you often use and ask you to change your password to AVOID a cyber incident or trick you into thinking your boss is in a meeting but needs you to complete a time-sensitive task (such as sending over employee tax info). The name of your boss could even be easy to find if your social media lists your workplace and your workplace social media links to other employee’s profiles.

How to Avoid a Spear Phishing Attack

One thing to keep in mind is that phishing schemes of any kind are highly sophisticated so there isn’t just one easy fix. The cyber criminals behind them develop new ways to trick you every day from impersonating a trusted source to.

The following tips should help you stay aware of potential threats, but we can’t cover all possible scenarios or spear phishing examples.

  • Be careful on social media: The moms of the world are right; what you put out there is for anyone to see. Even with some of the privacy settings enabled, there is still often enough information about you to craft a personalized message. Just think about how much personal information you want a cyber criminal to see. Take another look and make sure your privacy settings are where you’d like them to be across all social media channels to ensure your personal information can’t be used against you.
  • Create strong passwords: If you use the same basic password all across the internet, you need to make some changes. Strong passwords are the easiest way to bolster your security, but not sharing the same password across multiple sites is very important too. If your password is hacked on your email, could a cyber criminal use that to login to your online banking? If tracking passwords feels too cumbersome, use something like 1Password. They will not only create a password with letters, numbers, and special characters, but they will keep track of all your passwords for you.
  • Stay up-to-date: Software updates can feel like a hastle, but they’re so important. These updates almost always contain security patches and without them, you could be vulnerable to common attacks.
  • Know the signs: Do you know the 7 common red flags in an email? Could you spot a suspicious email just by the subject line in your inbox? Do you hover over links in emails to see where they actually go? Getting to know the signs of a malicious email will make a huge difference in your cyber safety.
  • Follow up: If there’s an email from your boss asking you not to call but to just do this urgent task, follow up with them through a different medium – be it Slack or calling them on the phone or popping in their office. For these kinds of things, it’s better safe than sorry so just confirm with that person that they did in fact make that request. If your banks or electric company sends you a link to click on, open your browser and go straight to their site.
  • Implement a security training program: If you’re in a position to implement a security training program, do so. In any business, the greatest security vulnerability are the people who work there. If they don’t know what a phishing scheme or a spear phishing scheme are, let alone what they look like, they could unwittingly let a cyber criminal onto your network. In these cases, companies often don’t realize the hack has been made until months later when tons of data has been compromised.

Spear phishing and phishing attacks can only be done by someone who really knows what they’re doing. Cyber criminals are often highly trained and very effective at what they do. If you don’t already have some cyber defenses in place, you should consider doing so. There are email inspectors that help you identify and block speak phishing attempts, threat protection and alerting systems that let you know if any activity out of the norm is occurring.

Of course, as mentioned above, trained employees will be vigilant employees. Making sure your entire team knows the signs of a cyber attack, and especially spear phishing, is an important step in keeping your data safe and your company secure.

As technology has become a bigger part of our lives, the internet has being a more threatening place. Both phishing and spear phishing attacks prey on people’s willingness to help in an urgent matter and their want to make things right (like changing a password in order to stay secure).

At GadellNet, we have a cyber security mantra, “Stop, Look, Think,” which basically means we want people to take the time to analyze any particular request and not just react.