Spear Phishing and Phishing: What Is Phishing
Spear phishing and phishing – what is it?! It sounds like you’re trying to find dinner for the night, but sadly, you’ll not get any battered cod after this type of phishing.
No, you’ll have opened a portal for cybercriminals to come in and breach your business. It’s definitely not the fun type of fishing.
Imagine the scenario below to get a feeling of what a spear phishing and phishing attack is like:
Okay, okay, you need to calm down. It’s okay. Everything is going to be okay.
Yes, you’re facing a tight deadline, with only an hour to go, but you can handle it. All you need to do is focus, bury your head in your spreadsheet, and stay calm. The stress coursing through your body isn’t doing you any favours, and it’s crucial to find a way to relax.
However, it’s easier said than done, especially with Bob seated right beside you. How are you expected to concentrate when your ears feel like they’re about to burst from the relentless clatter of Bob’s incessant typing?
He seems to be assaulting the keyboard, striking each key with a forceful and deliberate press, one letter at a time.
You’ve Got No Choice
You can’t stay here. You’ve got about 10 seconds to grab your laptop and your fresh coffee and sneak into the meeting room before anybody else can notice that it’s free. However, all of a sudden you get an email from your director. He’s asking about the spreadsheet you’re working on and he needs you to look at something that might help.
By the lord and Saviour, hopefully, this link will help you. You click on the link but it takes ages to load. Seconds are ticking by and your anxiety is skyrocketing when all of a sudden you notice that Tracy is looking directly at the free meeting room.
Luckily, you’re closer and more senior. So you run like you’ve never run before. You quickly grab your laptop and your freshly made coffee – and you head into the meeting room.
You place your laptop and your coffee down on the massive meeting room table. After you take a seat at the table, you take a well-earned sip of your hot coffee. This is your place to relax.
But, what’s happening? What have you found? Your laptop has gone black and won’t start up. After furiously pressing all of the buttons to get it back on, it’s still not working…
There’s nothing you can do now other than jump out of your chair and head back to the body of your office. Who is it you’re looking for, who’s in IT again? Mark.
You notice him in the corner of the office, head down to his computer. You summon him loudly and everybody in the office looks up whilst he jumps. He meets your gaze and he can just tell something is wrong. He quickly gets out of his seat and meets you in the meeting room with his own laptop.
However, after trying to turn your laptop on and failing, Mark goes to his own laptop to see what he can do.
Do you remember that email your ‘director’ sent you? Yeah, that wasn’t him. That link you clicked on was a spear phishing attack, and all your important financial documents have been leaked.
How did that happen? What does a phishing attack even mean? Learn more and how to prevent this below.
As the CFO, I’m sure you’re aware of the dangers of phishing attacks – but do you know the meaning of a phishing attack?
A phishing attack is where cybercriminals deceive people into revealing sensitive information (e.g. financials) or installing malware (for example, ransomware and spyware) online.
They will typically be sent over email and will urge victims to click on a link or attachment so that they can steal information or install malware. The average phishing email is usually sent in bulk to see who ‘takes the bait’ (hence the name phishing) and lets the attacker in.
What Can Phishing Attacks Do
Phishing attacks can compromise all of your business’s data, allow access to your online accounts, compromise any accounts that are connected, and demand a ransom with ransomware.
Here in the UK, a phishing attack is also one of the most common cyber attacks your business is at risk of with 79% of all cybercrime in 2023 starting with a phishing attack.
Okay, so now you know the meaning of a phishing attack, but that doesn’t help you when you’re looking for one.
The best way to spot a phishing attack is to look at a phishing attacks example and use what you learn from that in your real life. So, have a quick look at the picture below and see if you can spot the indicators of a phishing email:
Well, check below to see if you got them all:
How did you do? Did you find any that I’ve missed? I hope there aren’t some that I’ve missed, but you never know!
Here I’ll go into depth on each of the indicators you can see in this example.
- The most important indicator – the wrong email address. Do you see the double ‘r’ in rbs.co.uk? Before you click on any links, make sure the email is coming from the right email address (and double-check to make sure your brain isn’t overlooking an extra letter!).
- The second indicator noted is common sense, but, you do have to think about it. Depending on what mailbox the email goes to, the email being there might be unusual. In this case, it’s unusual to have a bank statement go to a business’s contact email address.
- This third indicator is that the email is not personalised to your name – which an email from a bank would be. With a general greeting, you can tell that the email is getting sent to the masses.
- This may be the trickiest indicator to spot, and is not normal on every phishing email, but is this your account number? If not, it’s a phishing email.
- Number 5 is another of the most important and easy-to-spot indicators of a phishing email – spelling mistakes. Phishing emails are known to always be filled with spelling mistakes and poor grammar. However, this may change in the coming years with AI.
- This indicator should be a red flag to you as no bank or business should ask you for the whole security code. If a business needs a security code, it would likely only be a couple of random letters and they would not change what they need.
- This indicator is big as it asks you to click on a suspicious link – try to not click any links on emails unless absolutely necessary!
Overall, there are noticeable indicators of phishing emails in this example – as long as you know what you’re looking for! Although, it can be hard to decipher phishing and spam. Find out how below.
Now that you’ve seen our example above of phishing, you’re probably thinking of all the suspicious emails you’ve been sent over your lifetime, and yes, some of these are probably phishing emails, but some may just be spam. So, what is the difference between phishing vs spam?
Well, although phishing and spam emails are both unwanted, spam emails are not always dangerous – they are typically just people trying to get you to buy something. And whilst annoying, it is not malicious like phishing attacks are!
Phishing emails are trying to steal your sensitive information, or to install malicious malware on your systems, whereas spam just wants you to buy their services.
Have a look at the image below, I’m sure it doesn’t look as malicious as the last email pretending to be RBS:
There’s nothing really wrong about this email other than the fact I don’t know the company, I didn’t ask to be emailed, and they are trying to sell me something.
It doesn’t have the indicators of the last phishing email: it’s not trying to pretend to be something it’s not, it’s not got lots of spelling mistakes, and it’s not asking me for any security codes. However, it is asking me to click on a link which is an indicator of a phishing email.
Overall, phishing vs spam have similarities, but phishing is usually more malicious. However, a phishing email is not the most malicious email you need to watch out for – you need to watch out for a spear phishing email.
Spear phishing is a more malicious type of phishing attack as it is used to target specific groups or individuals within an organisation – making the attacks more personal.
Spear phishing uses malicious tactics by personalising attacks on platforms such as emails, social media, instant messaging, and other platforms. They do this to get users to divulge personal information or perform actions that can cause network compromise, data loss, or financial loss.
Cybercriminals who are using the spear phishing tactic will typically go out of their way to learn and pretend to be someone the victim trusts so that they can avoid suspicion and complete the attack.
Although spear phishing and phishing both aim to steal sensitive information or infect the targets’ devices with malware, spear phishing is targeted so that more people are infected.
Here is an example of a spear phishing email we have had just this week.
Usually, the cybercriminals who use spear phishing, are targeting those higher up in organisations such as business owners, directors or those in control of the finances. The aim of this is to gain control of the business’s financials or confidential company information.
Cybercriminals will stalk a company’s website, LinkedIn, or more to find out who is the best person to target in an organisation.
How It’s Sent
Spear phish attacks are usually sent via email to the bigger targets in an organisation. They take advantage of human nature (such as wanting to help or obeying those higher in authority) and prey on good deeds so that people click on a malicious link or attachment.
How To Identify Spear Phishing
As spear phishing emails are a way to get victims to trust phishing emails, they are harder to identify than your usual phishing emails. Here are some of the top questions you can ask yourself to identify a spear phishing email:
- Who has sent the email: Check the sender of the email and see if the email matches the person you trust. Make sure you go over the sender with a fine-tooth comb though as the email address may be very similar to the email of the person you trust!
- Do I have an email filter: Use an email filter to scan the attachments and see if there are any malicious links or attachments within the body of the email.
- What are they saying in the email: Spear phish attacks usually include social engineering manipulations to get you to click a link or attachment. Be wary of any emails that ask you for private information, or that create a sense of urgency.
- What is the email subject line: Spear phishing emails typically use subject lines that grab your attention or create a sense of urgency for you to respond (e.g. ‘You owe the HMRC. Send now’).
Identifying and not clicking on a spear phish email is the best way for you to stay safe as the CFO. You hold all the business’s finances, so you can bet people want to chance an attack on you.
But what are the real differences between spear phishing and phishing?
Unlike phishing attacks which are all about the quantity of emails sent, spear phishing attacks are about the quality of the emails sent. A spear phish attack focuses on specific targets and involves prior research in order to get the most out of the people they are attacking.
Spear phishers conduct thorough research on their targets, aiming to make their emails appear as if they come from trusted sources rather than random individuals, as is often the case with typical phishing emails.
However, just like regular phishing attempts, once the victim falls for the scheme and takes the desired action, the attacker gains access to the targeted legitimate user’s credentials and can infiltrate the network without detection.
This remains the ultimate objective of any phishing email, whether it’s spear phishing or the more common form of phishing.
But here are the biggest differences between spear phishing vs phishing:
Spear Phishing vs Phishing
- Targeting: Phishing attacks are sent to a large number of people, while spear phishing attacks are highly targeted and focus on specific individuals or groups within an organization.
- Personalization: Spear phishing attacks are personalized and often appear to come from a trusted source, while phishing attacks are not personalized and may use generic language.
- Goal: Phishing attacks aim to steal personal information such as login credentials or credit card numbers, while spear phishing attacks aim to gain access to sensitive information or systems within an organization.
- Success rate: Spear phishing attacks have a higher success rate than phishing attacks because they are more targeted and personalized (65% of all cyberattacks are due to spear phishing).
Overall, spear phishing and phishing have many similarities, but spear phishing is the more malicious brother of phishing. The same prevention methods can be used for both though.
You’ve probably noticed that throughout this blog, I’ve spoken a little bit about how to identify a spear phishing scam. But here’s everything summed up about how to prevent a phishing attack and a spear phishing attack:
- Remembering what a spear phishing and phishing scam looks like: If an email asks you for personal information or for immediate action, be wary and cautious.
- Don’t click on any links or attachments: Don’t click on anything unless you are 100% certain it is real.
- Use security software: Use email filters with Advanced Threat Protection (ATP) and end-point protection to protect your business from any threats. If you’re looking for an email filter with ATP, contact us here at Jera today.
- Keep software up-to-date: When you let your software go out of date, emails can slip through the cracks. Keep things secure by keeping software up-to-date.
- Enable multi-factor authentication: When you use multi-factor authentication, it is harder for cybercriminals to gain access to systems within your organisation.
- Be cautious with sensitive information: Never give out sensitive information because an email has told you so. Log in to systems the way you usually would – not through an email link.
- Educate yourself and others: Get phishing training for you and your team to learn how to spot phishing emails. To get your team trained for free, Jera is running a free 6-month trial for phishing training, contact us now to learn more.
Here at Jera, we’re offering free phishing training for you and your team* if you’re looking to improve your skills at identifying phishing emails.
Just contact us on the link here and we’ll be in contact to get your free phishing training set up.
*Free phishing training is only available to businesses over 20 people and who reside in Scotland.