Spear Phishing Attack

What is a Spear Phishing Attack?

A spear-phishing attack is a form of email scam that targets a specific individual, business, or organization. Spear phishing attacks are characterized by a high level of research into the target and a tailored approach with customized email messages crafted specifically for the intended victim.

Cybercriminals prepare for a spear-phishing attack by conducting in-depth research on the target. For example, they might use an organization’s “Team Members” or “About Us” web page to identify top-ranking executives, then scrape additional details about those individuals from social media pages, business directories, and lead generation services. 

Compiling this information gives cybercriminals insight into the messaging, social engineering, and deceptive techniques that might be most successful against the target. The next step in the process is to write the spear-phishing email(s) that will be sent to the target. These emails will use highly targeted messaging informed by the scammer’s research efforts and may also employ email spoofing techniques to mask the cyber criminal’s identity or impersonate a trusted friend, colleague, family member, or business associate.

As with other types of email scams, the purpose of a spear-phishing attack is to financially defraud the recipient or convince them to disclose sensitive information.

Phishing Attack vs. Spear Phishing Attack - What’s the Difference?

In the world of cybersecurity, there are phishing attacks and spear-phishing attacks - but what’s the difference?

Phishing attacks are more widely targeted, with cybercriminals sending the same email with the same instructions to thousands or even millions of recipients. While a phishing email might be poorly targeted and unconvincing to the majority of recipients, some unsuspecting recipients may still fall victim to the scam. 

In contrast, spear-phishing attacks are more narrowly targeted - often to a single organization, business entity, or a single person. This makes each spear-phishing attack more dangerous and more likely to succeed, as the attack has been customized to exploit the perceived vulnerabilities of the target.

When a cybercriminal engages in phishing, their goal is to “cast a wide net,” sending a high volume of emails to an extensive list of low-value targets and hoping that a small percentage will fall for the scam. Spear phishing uses the opposite approach, sending a highly targeted email to a high-value and highly researched target in hopes of a big payoff.

What is an Example of Spear Phishing?

When spear-phishing attacks are successful, they can have a devastating impact on the target organization. To illustrate this point, we can point to numerous examples of successful phishing attacks that received International news coverage and cost victims millions of dollars.

The DNC Phishing Attack

In 2016, a Russian hacker group known as Fancy Bear executed spear-phishing attacks against the Democratic National Committee (DNC), former Secretary of State Colin Powell, and Hillary Clinton’s campaign chairman John Podesta. 

The hackers sent a spoofed email that appeared to be from Google, informing targets about a fraudulent login attempt on their Gmail account and directing them to change their password using a shortened URL link contained in the email. 

The link brought targets to a hacker-controlled domain where their Gmail credentials were stolen. As a result, thousands of emails were stolen from the targets and eventually released by WikiLeaks.

Vendor Impersonation Attacks Targeting Facebook and Google

A Lithuanian hacker impersonated an overseas electronics vendor known as Quanta, which had contracts with Google and Facebook. 

Over a three-year period, the criminal sent fake invoices to Facebook and Google, which amounted to over $100 million. Although the criminal was eventually captured and extradited to the United States, victims were able to recuperate just 50% of their fraudulently appropriated cash.

FACC CEO Impersonation Scam

Another massive spear-phishing attack was executed against FACC, an aerospace components manufacturer based in Australia.

Cybercriminals posed as FACC CEO Walter Stephan and directed the company’s accounting and finance departments to make a wire transfer payment of around $47 million in relation to an acquisition project.

Although FACC was able to take action and prevent the loss of $10.9 million, the remainder of the money was quickly laundered through Asia and Eastern European banks. In the aftermath of the scam, FACC fired both its CEO and CFO and attempted to sue the pair for over $11 million in damages. 

The lawsuit eventually failed and FACC posted annual losses in excess of $20 million for the year the attack took place.

Why is Spear Phishing So Dangerous?

Spear phishing has become increasingly dangerous in our digital-first world, where it is now easier than ever for cybercriminals to find detailed information about their targets posted publicly online. The availability of this information gives spear-phishing cybercriminals the ability to compile detailed profiles of their targets and customize their attacks for maximum effect. 

Our examples demonstrate that even highly qualified corporate executives and political operatives can fall victim to spear-phishing emails, especially when they are contextually targeted and appear to come from a trusted source.