Phishing is a common scam that attackers use to steal data, spread malware, and defraud people of money. Most attacks involve a generic message sent to several people, often due to a database of contact information getting leaked online. Spear phishing, however, is anything but generic. This dangerous attack targets specific people or organizations, often with custom-made emails or messages designed to avoid suspicion.
Here’s an example of how it works:
Gather Intelligence
Attackers may spend weeks or months researching an organization and gathering as much information as possible. During this initial stage, the goal is to gain access to employee directories, corporate email addresses and phone numbers, and any data that will help the scammer seem legitimate.
Identify Targets
With enough information the attacker identifies the employees of significant interest — those with authority to wire money or have high-level access to confidential information. Examples include human resources, executives, accounting, and IT personnel.
Gain Trust
Most spear phishing scams involve impersonation. The attacker will pose as someone the target knows, such as a co-worker or a legitimate business. The idea here is simple. When the target believes they are communicating with a trustworthy source, they are more likely to fall for the scam.
Steal Money or Data
Many of these attacks are financially motivated. For example, the attacker might pose as an executive and ask that executive’s employees to wire money to a new account. Since the email comes from an authority figure, the target might not think twice about honoring the request. Impersonation is also how cybercriminals gain access to highly confidential information.
This is just one illustration of the many ways cybercriminals use spear phishing. Even if you’re not in a position to, as an example, wire money, it’s still vital to understand how these attacks work. Never assume someone is who they say they are, think before you click, and report anything suspicious immediately.
Article retrieved from Unmasking Criminals by The Security Awareness Company – KnowBe4, Inc. (2023)