spear phishing is a common issue. image credit Scam Vectors by Vecteezy

What is Spear Phishing – and Why Does it Still Work?

A danger lurks inside your organization.

It’s a looming, ever-present, and ever-growing threat to your business’s security. It is the bane of Cyber Security teams around the world. They curse it by name.

Its name is… Tom.

Or Brenda, Marshall, Marcus. Take your pick from among your most valued and cherished team members.

Each and every employee presents an attack vector and massive security threat to your organization’s integrity. Cutting-edge cyber security measures won’t help.

Think this is hyperbolic? Think again.

As more and more sensitive business moves online, total digital exposure is increasing.

Despite the $160 billion invested in cybersecurity measures in 2022, the most common vector of cyberattack skirts every incident response measure, and balks at breach mitigation strategies

A shocking 82% of the 4,145 organizations breached in 2022 were exposed by some form of “social” phishing attack.

Mysteriously, not only is phishing still working, it’s actually working better than ever before. How is this possible? Just what is spear phishng, and how is it dancing around modern cyber security protocals?

Modern Phishing Tactics Aren’t Broadly Understood

Most people are aware of phishing and think themselves savvy enough to steer clear of them. Yet phishing was the most costly form of cyberattack to businesses last year.

Clearly, teams are more susceptible to your average attack than we want to believe.

Attackers aim to slip through the cracks and disproportionately target higher-level (and busier) team members. Ironically, it’s exactly these team members with greater responsibilities and more sensitive accesses who tend to have less time to vet their emails.

Often, sophisticated spear phishing attacks are nearly indistinguishable from real emails, and prey on urgency and emotion to cloud better judgment.

Clearing up Phishing vs. Spear Phishing

Phishing and spear phishing are often conflated, particularly during internal cyber security planning.

This is understandable – the threats drive to similar goals by similar means. Both attempt to exploit sensitive information, usually for monetary gain, and at the expense of the victim. Both can use email, text messages, or other “personal” mediums of digital communication.

Traditionally, phishing casts a wide net. Using automated tools, attackers can send hundreds or thousands of generic messages to non-specific targets. Their hope is that the sheer quantity of attempts will yield a handful of victims.

Because they are generic and easy to do, phishing attacks are often sloppy, noticeable, and ultimately not very effective. Sophisticated teams with basic cybersecurity will evade or block dozens if not hundreds of phishing attempts every month, and with minimal effort.

Spear phishing is distinctly different in this respect – it is targeted and personal, and often intends to slip by, unnoticed. This means it can be more effective, and more damaging, to businesses.

What is Spear Phishing?

Spear phishing is a targeted form of phishing directed at an individual or organization.

The end goal of spear phishing is to deceive the target and create or exploit a security breach. The attackers’ goals can vary – they may want to collect sensitive login credentials, or install malware on company devices.

To successfully deceive victims, spear phishing characteristically uses highly-targeted personal information to make the scam more convincing.

How does spear phishing work?

Spear phishers rely on their ability to develop a scam that appears legitimate.

To achieve the airs of legitimacy, attackers may go to great lengths. They first seek to identify personal email addresses, phone numbers, or job titles.

Then, they often dive much deeper – they may seek tangential information such as the names of family members, or more specific personal information about their targets such as hobbies, preferences, and day-to-day lifestyle.

They use this information to craft an attack that’s so carefully designed, victims often expose extremely sensitive information without realizing what they’ve done.

The payoffs can be massive – the average successful phishing attack cost organizations $4.91M in 2022.

Chart shows Phishing (of which spear phishing is a part) is the most expensive type of attack
IBM’s Data Security report showed Phishing to be both the most costly category and one of the most common attack strategies.

The outsized financial payoffs mean attackers can afford to be patient – to build out detailed profiles of their victims for months or years on end.

Rarely, if ever, do prospective victims know they’ve been targeted before an attack is launched. And the more time attackers have to work on a profile, the more likely they are to find a vulnerable avenue for their attack.

So how does this all work? Common methods of spear phishing:

Mediums and methods of attack vary as much as the end goals of attackers.

A simple phishing example is a classic malicious email, designed to appear to come from a trusted source, such as a bank or financial provider like Paypal.

Superficially, the email may look identical to legitimate emails. They might even use identical designs. But the links, when clicked, will direct users to a fake login, which collects their password information and sends it to the attacker.

Similar attacks can be deployed with text messages (called smishing) or phone calls (called vishing.)

When attackers spear phish, they go beyond these simple tactics.

Usually, their aim is to circumvent traditional security measures by accessing people on a personal level. Their attacks are designed to hide in plain sight, and the most successful attacks are rarely straightforward to notice.

For example, you may have two-factor authentication set up for your company bank logins. Two-factor authentication makes it difficult for anyone to hack your business banking platform, even if they did somehow get login info via a fake login email.

But maybe your Sr. Accounting Analyst is at a bar with his friends at 8:03 pm on a Friday when he receives a text message “ding” – followed by a frantic email from his CEO. The email is demanding that the Analyst share the two-factor authentication code he just received via text “or else.” It blames some vague “screw-up” on him. Immediately the Analyst feels both threatened and annoyed.

So what does he do? He fires back the code via email. Then he grumbles, mutes his phone, and returns to conversation with his friends.

It’s only come Monday morning that he notices the frantic email came from a strange-looking email address. What’s more, someone has wired the company payrolls to an off-shore cryptocurrency exchange.

Teams Rarely Recognize Modern Phishing Attempts and Remain Susceptible Even After Training.

Though dramatized, the preceding example highlights the realities of Spear Phishing attacks:

They are not easily prevented – they’re difficult to identify, varied in their methods, and resistant to preventative training. One study found training on phishing to be completely inconsequential on outcomes – most participants clicked the phishing links even if primed with training on phishing.

Another showed that it’s often particular team members that are most vulnerable to phishing tactics, and this may be because of personality traits. Agreeable, neurotic, and conscientious people clicked phishing links most often across all age groups – age and technical sophistication did also show smaller correlations.

Research like this indicates cyber security teams continue to face threats from spear phishing, so long as bad actors are able to source and manipulate information about employees and organizations, they will exploit it.

Thus the next logical question arises – how do we combat or impede the ability of attackers to exploit our teams?

Unfortunately, it’s altogether too easy for attackers to craft highly effective phishing messages if they’re motivated. The rise of data breaches and exposures, combined with the explosion of legal data harvesting services mean that – for just a few dollars – today’s attackers can source, scrape, or purchase large swaths of information about specific individuals, and use that information in crafting their attacks.

How Do Spear Phishing Attackers Get Access to Your Data in the First Place?

Many Privacy Bee customers are surprised to learn that attackers do not need to have significant technical capabilities or complex attacks to get access to personal information.

In fact, most of the information commonly used to construct most attacks is available to anyone who asks – for just a few dollars.

Common sources of personal information include:

Data Brokers (Legal): Anyone with a credit card and a few dollars to spare is able to create an account with platforms like Spokeo and instantly get access to swaths of personal data. This data is highly specific and includes:

  • Contact Information (Phone Numbers, Email Addresses)
  • Social Media Accounts
  • Location Information (Personal Address Histories, Associated Addresses)
  • Relationships (Family Members, and their related information)
  • And more.

Scraping (Legal): By “scraping” data from public profiles such as Facebook, Twitter, Instagram, and other accounts, attackers can gather large amounts of very specific information – for example, political preferences, voting history, close friends and contacts, current events, and travel history.

They do this manually, or with the assistance of automated programs and tools.

Data Breaches (Illegal): On the illegal side, data breaches regularly expose large amounts of personally identifiable and sensitive data. In 2021 alone, nearly 300 million people had personal information exposed in confirmed data breaches.

Blending that illegally sourced data – for example, bank information or email accounts and providers – allows attackers to create a fuller picture of someone’s digital footprint. As it turns out, attackers don’t much mind whether they’re using legal or illegal methods to obtain data, and spear phishers typically employ both to develop highly specific profiles of targets before executing attacks.

How Can Spear Phishing Be Defended Against?

Of course, organizations can do their best to ensure team members are aware of the danger and to be on the lookout for suspicious emails, phone calls, and text messages. And best-practice cybersecurity protocols will help mitigating negative outcomes in the event of an attack.

However, few if any methods directly prevent the possibility of a successful attack occurring in the first place.

Attackers are utilizing data they’ve already located on the surface level or dark web to plan and construct their attack. As explored above, the best password protection and infrastructure firewalls are often readily circumvented via personalized attack messages.

Thus, it becomes increasingly important to keep the personal information of your teams as private as possible. Privacy Bee offers free external data audits for organizations, so you can see how much of your team’s information has already been exposed.

When your privacy exposures have been identified, Privacy Bee helps you remove this data from the web and continuously monitors for future exposure.

What’s Privacy Bee?

Privacy Bee is an all-in-one personal and professional data privacy platform.

We’re not a cybersecurity platform. It’s a data breach prevention tool, designed to prevent the chances of a breach occurring in the first place. 82% of today’s data breaches occurring at through social engineering and phishing attacks. Our platform eliminates your data from the web and reduces the chance your teams are ever targeted in attacks.

For more information on how we can secure your business, talk to our team today.

Don’t want to chat? Sign up for free to see your employee’s External Data Exposure.

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account: