What is spear phishing? Recognize tailored emails

Anton P. | September 16, 2020

Spear phishing is a targeted attack against particular individuals or companies. Many phishing campaigns are random, targeting thousands of unrelated users at once. However, spear phishing chooses specific targets and tailors emails for them. 

So, spear phishing tries to steal personal information and money or infect systems with malware. Due to email spoofing and cloning, this fraud can convince users that dangerous emails come from legitimate sources. 

Thus, navigating your inbox or SMS messages safely becomes far more difficult. Learn how to defend against suspicious emails, SMS, and phone calls. 

What is spear phishing?

Spear phishing means sending personalized messages to pre-selected targets to gain confidential information or usernames and passwords. 

  • The attack can occur via various electronic means like emails, SMS messages, or phone calls
  • It combines social engineering techniques, deception, and a sense of urgency.
  • Spear phishing can target organizations, personal and business accounts.
  • Many attacks exploit various events, like the tax season. People might receive emails falsely claiming issues with their applications.
  • Spear phishing emails can claim to originate from services victims use, their colleagues, or local institutions. 
  • Emails or SMS messages can trick users into clicking on a link that leads to malicious websites. 
  • Phone calls could hope to extract personal information like social security numbers or bank details. 

What is an example of spear phishing? Real-life incidents

Our research indicates that spear phishing attacks cost victims from $100 to $1,000. While the odds are against legitimate corporations, spear phishing is not new. Its devastating impact is public knowledge, with Amazon customers being one of the victims.

Spear phishing against employees might remain under wraps. However, attacks against customers pop up regularly. Such repetitive strikes continue prowling for Facebook users. 

Countless posts and profiles on the platform help shape convincing spear phishing emails. Hence, highly personalized messages can spread malware, extort data, or compromise the target otherwise on any channel.

Characteristics of spear phishing 

A spear phishing attack has some unique characteristics: 

  • The scam involves personalized emails or calls, and criminals likely know many details about their victims. 
  • Spear phishing campaigns rely on having valid information about their targeted users. 
  • Attacks likely imitate or spoof legitimate email addresses to make their tactics more convincing. 
  • Tailored phishing also uses the standard methods of social engineering. 

Spear phishing vs. whaling vs. phishing 

Spear phishing uses tailored emails to trick users into revealing sensitive information or transferring money. Whaling works similarly, but it targets high-ranking individuals like politicians or CEOs. 

However, phishing is the most general term for all fraudulent emails, calls, or SMS messages. 

How does spear phishing work?

This tailored phishing attack works through several steps. 

Victim selection

The chances of becoming a target of spear phishing increase if you work for influential corporations. Scammers might go for employees with preferred access rights, confidential information, or other crucial obligations. 

The Twitter scandal illustrates this scenario perfectly. Hackers deceived carefully selected employees with a refined spear phishing technique. The staff exposed the internal operations of Twitter and gave unauthorized access to accounts.

Target and context analysis

Scammers usually have no issue figuring out employees’ full names, positions, teams, or even managers. 

Copying legitimate email templates or pre-recording similar interlude messages contributes to the convincing scam. With all the elements in place, hackers can send deceptive emails or contact victims via other means.

Adding targets’ private information

Custom emails are the main ingredients in spear phishing attacks. Crooks use the researched details and incorporate them into emails. 

For instance, a phisher can retrieve recent bank transactions and use them as a convincing lead. However, spear phishing is not always after monetary benefits. The payoff might come in confidential data.

Attack launch and negotiations

The fraudulent email might prompt victims to perform a specific action as quickly as possible. For instance, scams might trick users into clicking on a link or downloading files. 

Other con artists might encourage users to respond to emails. Then, data extortion occurs during seemingly ordinary communication.

Prevention of spear phishing attacks

Phishing only works if users click on links, respond to emails, or give their personal information. So, here are some tips that can make you more immune to these attacks. 

No harm should come to you even if you open a malicious email. However, you might still monitor your accounts and systems.

  1. Limit data-sharing online

Active participation in social networking or other channels could be the reason behind spear phishing. 

If there is enough information to profile you, scammers will misuse it. The simplest trick is to set all accounts to private: only reliable friends will see your full account info. However, influencers or people with an active presence online should be more careful online.

  1. Do not react to suspicious emails

If you receive a security alert from your bank, do not be hasty. Before clicking on links or downloading files from emails or SMS messages, verify the sender. 

Find legitimate contact information and call your provider to explain the situation. Furthermore, improve email security by reporting fraudulent and suspicious emails. Also, follow recommendations for blocking spam on popular email providers. 

  1. Keep the company’s email address secret

Your work email should not leave the internal operations of the corporation. Do not disclose it to any third party, or worse: do not link it to services unrelated to work.

Also, it is useful to learn about Slack security or other communications tools used.

  1. Perform regular security awareness training

Instead of relying on instincts, take time to learn about the current threat landscape. Spear phishing, social engineering, malware, and password security need to be the central topics of such training. For instance, it is also important to see if your credentials are not one of the worst passwords used.

  1. Look for grammatical errors

Mistakes and odd layout of the email could act as an indication that the email is fake. While sophisticated attacks can copy the design to the last detail, there still might be typos.

However, The Guardian makes an excellent observation of the influence of AIT chatbots on phishing. Scammers can now generate professional texts in minutes. Thus, grammatical errors might no longer be present in modern phishing emails. 

  1. Update everything regularly

The general rule is to use systems and programs with the latest updates and patches. Flaws could facilitate unauthorized access or lead to losses of data, later misused for scams.

  1. Use the latest security software

The burden of keeping track of your security is problematic. Automatization of this process is one way of protecting assets. 

Antivirus monitors your device and guarantees an optimized, virus-free experience. However, hackers’ advances make it clear that techniques for compromising data in transit grow by the day. 

The solution to this is Atlas VPN and its high-powered encryption. Thanks to the medley of tunneling and encryption, web traffic resists any attempts to intercept it.

Get all benefits VPN can provide

Get all benefits VPN can provide

Experience the internet without limits — no geo-blocks, censorship, or tracking. Atlas VPN is your daily companion for a more open & secure internet!
Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.



© 2024 Atlas VPN. All rights reserved.