Spear phishing explained: How targeted attacks threaten your business

As the word suggests, phishing is like casting a wide net into the ocean and hoping for a catch.

It’s a numbers game. Attackers use automated tools to send thousands of impersonal scam messages. They hope a small percentage of the recipients will take the bait and share sensitive information, click a malicious link, or send money.

By contrast, spear phishing is aimed at a single prey. It’s a targeted, tailored attack designed to entrap one individual or key people within an organisation.

For example, in 2024, the European retail group Pepco lost around €15.5 million when a spear phishing attack convinced staff in Hungary to send funds to fraudulent accounts.

Who are the targets for spear phishing?

Spear phishing is so dangerous because the attackers research their victims to create tailor-made scams. For example, they hoodwink finance teams into paying fake invoices, or dupe HR teams into changing employees’ personal details.

The attackers target people with access to sensitive data or control over funds. For example:

• Senior executives, such as CEOs and CFOs, are prime targets. They’re privy to highly sensitive information and can authorise strategic decisions and large payments.

• Finance, HR, and IT teams can access valuable information such as employees’ personal data and bank account details.

The spear phishing attack process: A step-by-step breakdown

Step 1: Research and reconnaissance

The attackers choose their victim and gather information about them.

They comb social media, company websites, and professional networks such as LinkedIn to understand the victim’s job role, their skills, coworkers, communication style, recent projects, and more. Additionally, they often buy information from dark web marketplaces or leverage data shared in criminal forums to enrich their intelligence.

Step 2: Crafting a personalised spear phishing email or message

Using the information they’ve gathered, the attackers create a personalised scam message that’s calculated to trigger a response from the victim.

For example, an email from their CEO saying that a sudden emergency is jeopardising the victim’s biggest project, and they must act immediately to save it.

The email may contain fake login pages, malware attachments, or a request to send money or sensitive information.

Step 3: Sending the message

The email lands in the victim’s inbox at a strategic moment. For example, when the victim’s company is about to close a big money deal or release a major new product.

Step 4: Exploiting the target

Stressed, fearful, and under pressure, the victim acts in response to the message. They supply the requested information or money, or install malware.

The attackers achieve their goal. This can be to steal the victim’s password, install malware on their device, harvest their data, or receive money.

How spear phishing emails and messages use social engineering tactics

The tactic behind spear phishing is social engineering. That is, using the victim’s personal information to abuse their trust and manipulate them into action.

Fraudsters often mimic the victim’s bosses, business partners, or colleagues and mention details of a specific project or deal the victim is working on, causing them to lower their guard.

Many spear phishing messages are also calculated to trigger stress and fear. They pressure the victim to act hastily, without stopping to check whether the request is genuine or even makes sense.

Spoofed email addresses and domains

One of the sneakiest tactics is email spoofing. That is, creating sender addresses that look almost identical to legitimate ones but with one or two characters changed. For example, jane.doe@cornpanyname.com. These variations can be hard to spot, especially when people are busy, under pressure, or reading on small screens.

For example, in 2016, an employee at Crelan Bank in Belgium transferred around 70 million euros to a scammer in another country. The scammer had spoofed the email address of the bank’s CEO.

7 ways to protect your organisation against spear phishing

To reduce your organisation’s risk from spear phishing:

• Always verify requests: Ensure that anyone receiving a request for money or sensitive information verifies the sender by phone before they respond. Define protocols and ensure everyone understands them.

• Conduct regular security awareness training: Ensure everyone is aware of the danger and knows how to spot and report potential phishing messages.

• Deploy email authentication standards: Use standards such as SPF, DKIM, and DMARC to block spoofed messages.

• Control access to information: Apply the principle of least privilege so that people can only access the systems and data they really need for their roles.

• Use multi-factor authentication (MFA) on all your user accounts: This provides an extra layer of protection for your systems and data.

• Be careful about what you share online: Manage your organisation’s digital footprint to ensure you’re not giving away information that attackers could use against you.

• Use a cyber threat intelligence (CTI) and credential monitoring solution: CTI solutions such as Cybercheck help you to stay safe by continuously monitoring for exposed credentials and personal data, providing early warning to stop attacks before they breach your defences. If cybercriminals are trading information about you or your organisation, we immediately alert you. Knowing that this information is no longer a secret lets you stay extra vigilant, understand that you could be targeted in spear phishing attacks, and take proactive steps like changing passwords, blocking cards, and acting to shut out the attackers before they make you their next victim.