Spear Phishing: What It Is and How to Protect Yourself

It's the most effective form of email phishing

Spear Phishing is where scammers carefully craft fake emails and send them to a very targeted audience or organization. The intention is to get you to provide bank or credit card information, or to get you to download a file that will infect your computer.

What Is Spear Phishing?

Spear phishing is a unique form of email spamming, because the emails are often sent to multiple users inside a company or other organization. Before sending the emails, the scammers conduct deep research into the organization.

By using this research, scammers customize the emails using names or company departments that you might recognize and trust. This results in a very high number of employees clicking these emails and falling prey to the scam.

A conceptual illustration of Spear Phishing.
Lifewire / Theresa Chiechi 

Not only do spear phishing attacks target specific companies, but they may even target employees who work in individual departments inside that company.

How Does Spear Phishing Work?

In a standard email phishing campaign, criminals simply purchase an email list or download a list of compromised email addresses sold by hackers.

In the case of spear phishing, criminals are much more careful and intelligent about who they target and how they target them. The process usually follows the steps outlined below.

  1. Criminal organizations choose a company or organization they want to target. The reasons for developing a spear phishing campaign include any of the following:

    • Foreign governments looking to obtain proprietary company information.
    • Thieves hoping to convince HR employees to change direct deposit payroll information.
    • Criminals trying to fool employees into visiting a website and entering their bank or credit card information.
    • Hackers who try to get employees to install a file that provides them access to internal company servers and data.
  2. Hackers use a wide assortment of resources to collect information about employees they want to target. Social media is the most common collection point. For example, criminals will look at a CEO's LinkedIn page to find personal connections throughout the company. They'll also scour through Facebook and Twitter posts made by company employees to gather personal information.

    Screenshot of a LinkedIn CEO profile
  3. These criminals are looking for specific events or information that anyone internal to the company may recognize. For example, if someone from the company posts about an upcoming fundraiser for Habitat for Humanity, the scammers will capitalize on that by crafting and sending an email to company employees asking them to click a link to send a financial donate to Habitat for Humanity. This makes the email more relevant and more believable.

  4. The emails themselves are structured carefully. The Sender of the email is faked to come from someone within the company, like the CEO, the HR Department, or the IT Department. Information gathered from social media is used to entice employees to click the email and visit a malicious website.

    Screenshot of an example fraudulent email
  5. Once employees click the link, it may be too late. A malicious file might automatically download and run, or the employee might unknowingly enter their employee details, like their network ID and password. With either of these pieces of information, hackers can then gain access to the Corporate network and start scanning the network for company secrets.

  6. Because they're so well planned and targeted, spear phishing is extremely successful. It has also been increasing in recent years, caused by not only regular hackers looking for financial gain but also foreign agents working hard to steal trade secrets.

How Do Spear Phishing Scammers Find Victims?

There are several things scammers look for when trying to identify what companies or individuals they want to target:

  • Attacks usually focus on individuals working at the same company or organization.
  • Victims are researched on popular social media platforms/
  • Employee names are pulled off company web pages that feature staff information.
  • Emails are sent to addresses crafted from the employee name and using the company email format, such as first_name.last_name@company.com.

How Do I Avoid Being Targeted for Spear Phishing?

There are important things you can do to reduce the odds that you or your company will be targeted for spear phishing. Normally, the IT Security group in your company should have provided security training on protecting yourself from email phishing.

If they haven't, there are a few important issues you can keep in mind to protect yourself:

  • Check for generic contact names: Be wary of emails using generic department sender names like "The IT Department".
  • Avoid suspicious emails: Don't click email links that go to external websites, as these could be fake websites. Instead, open a browser and type the URL yourself.
  • Don't share work info: Avoid sharing information about internal company events on public social media accounts. Don't make posts about work on your personal social accounts, and avoid sharing which company department you work for in your online profiles, including LinkedIn.

How Do I Avoid Getting Involved in This Scam

It's inevitable that at some point you're going to receive one of these emails in your company email inbox.

However well these emails are disguised, there are still indications that it's part of a spear phishing attempt:

  • Inspect email format: Since these emails fake internal company emails that normally come from an IT, HR, or corporate contact, compare the format of those emails with past emails you've received. Spear phishing emails will look very different.
  • Check email link: Hover your mouse over the link in the email. This will show you a preview of the URL. If the URL looks suspicious, it's likely the email is part of a spear phishing campaign.
  • Check contact's name: Look closely at the sender's name and email address. Since spammers usually have to guess the correct email format, a phishing email may not perfectly match the sender name or address of previous emails you've received from the real sender.
  • Research contact: If you're concerned, then verify. Look up the person sending the email in your company directory and send them an IM or call them to confirm they actually sent it.

If you believe you've received a suspicious email, immediately alert your company's IT Security department about the threat. They will be able to initiate a filter to stop further emails from coming through, and if possible trace the source of the threat and alert the authorities.

I'm Already a Victim. What Should I Do?

So you've received one of these emails and accidentally clicked the link, making you a potential scam victim. It's possible at this point your computer or even the corporate network itself is at risk.

There are a few things you should do immediately.

  • Alert your IT department: The earlier IT is notified about the issue, the sooner they can take action to stop the threat and protect the company. If you've fallen for the scam, then it's likely a lot of other employees have as well. Notifying IT first will help the company put protective measures in place immediately.
  • Reach out to your bank(s): If you clicked a link and entered your bank or credit card information on any website, make sure to notify that financial company immediately and ask them to put a freeze on the account. Some banks have a fraud alert page where you can report the fraud online.
  • Disconnect PC: If you accidentally downloaded or installed a malicious file from one of these phishing emails, immediately disconnect your computer from the company network and shut it down until you talk to your IT department, or report it to other authorities. This could potentially prevent the spread of the malware out across the company network to other computers.