In a previous blog post, we explained the basics of Phishing. However, spear phishing is a more targeted and dangerous form of this cyber attack. In this post, we will delve into the details of spear phishing and its risks for individuals and businesses.
Spear phishing involves an attacker targeting a specific individual or organisation with a scam via electronic communication. The attacker gathers personal information about the victim through open source intelligence gathering techniques to make the scam more believable and successful. If an email contains factual information about the victim, they are more likely to trust it.
Spear phishing has resulted in many data breaches, identity thefts, and loss of large sums of money. Some notable examples include Ubiquiti Networks Inc., who lost $46.7 million due to a spear phishing attack, and Chinese military hackers stealing American trade secrets through cyber espionage.
As attackers gather extensive information about a company before carrying out their attack, they can easily find relevant topics to scam people with. For example, if an attacker knows someone is on holiday on a specific day, they can send an email impersonating that person and ask for sensitive data or invoices.
Spear phishing attacks are difficult to identify; therefore awareness is key in defending against them. Dubious emails should be followed up with phone calls before any action is taken, staff should be informed that they will never receive emails from personal email addresses, and recipients must check where links go before clicking on them.
At Pentest People, we have a full phishing platform that can be used as part of social engineering engagements. Get in touch with us if you're interested in learning more about how we can help protect your business against spear phishing attacks.