Anyone can fall victim to a phishing attack, but these 5 teams and companies should be extra careful, as they are fast becoming a favorite phishing...
Phishing vs Spear phishing: There is a lot of phish in the sea
The biggest difference between spear phishing and phishing is the target. Picture this:
You are out on a fishing trip together with a friend, and you are looking to capture some fish for tonight’s dinner. Your friend isn’t really bothered about what you catch, as long as something ends up on the plate, while you have set your mind on catching a sword fish.
Because your friend doesn’t care about what they catch, they take out their fishing rod, sits down and waits to see what bites. You, on the other hand, bring out a spear and starts glaring down the ocean…
Your friend quickly catches a small, tasteless codfish, which fills his stomach for just this evening. While you, on the other hand, wait for the rest of the day until, eventually, that big, juicy swordfish passes. And then, you strike! Your patience rewards you with a luxury dish for this evening... and the rest of the week.
Well, this analogy got intense very quickly – the same way that spear phishing levels up the intensity of normal phishing.
Phishing is a social engineering type of cyberattack, which is the act of tricking someone into doing something they wouldn’t normally do. This could be giving out sensitive data, personal data or carrying out a service.
Phishing is characterized as high-volume attack, which is spammed to a large amount of people via email. This means that the messages are not personalized, and the recipient is often encouraged to open links or attachments… And we all know what those contain. Malware for everyone! Not exactly the kind of surprise you want.
An example of a traditional phishing email is the infamous “Nigerian prince”. This scammer claimed to be the director of the state-owned Nigerian National Petroleum Corporation. Their email stated that the prince wanted to transfer 20 million dollars to the recipient's bank account. The catch? The recipient had to share their bank details, and we think you can guess what happened after they did this...
Another popular phishing email is one with an attached link, claiming to be a software update. These scams can be really hard to detect, as they often look like formal emails, and that is exactly why phishing is so dangerous.
As spear phishing is a type of phishing, it also falls into social engineering. But these kinds of emails are much more personalized. They are sent out to one person, or a small group, and they address the person by name.
Spear phishing is basically categorized as any type of fraudulent email that targets one person. This includes whaling, which is when a scammer targets a company executive, and CEO fraud.
So how does it work? Imagine that you are at the office, doing your daily tasks. Suddenly, an email from the CEO drops in your inbox. The subject reads ‘Urgent question’, so you open it. In it, your CEO asks you to take care of an urgent invoice as he is stuck in a meeting with HQ all day. If it’s not fixed before the banks closes, there will be a delay in production. Without thinking, you open the attachment and does as he asks.
The next day, when you see your boss, you tell him everything has been fixed, and he looks at you and asks you what you are talking about. Only then do you realize that the email address which sent the request doesn’t correspond with your CEO’s email address.
By doing their research and targeting specific people with specific clearances, spear phishing attackers has the potential to create huge damage withing a company.
Successful spear phishing attacks are increasing at a rapid pace. Read here why email scamming is a growing concern.
Phishing vs Spear phishing – what they have in common
As you have noticed by now, phishing and spear phishing share similar characteristics. So, let’s summarize the differences:
Phishing: Generic emails sent to a high volume of people, usually including a link with malware.
Spear phishing: Targeted, personalized attacks sent via email.
What they have in common: They use manipulation, they are after login credentials, information or money, and they are delivered via email.
What is the solution? To avoid any type of phishing, you need awareness around the issue. Educate your organization and employees on what these types of attacks are and how they can be prevented. It is also necessary to be well prepared for it to distinguish a fake email from a verified one. Read here the 8 warning signs that will help you spot a phishing email.
However, education alone isn’t enough, as this doesn’t protect you from human error. Enter, SmartLockr!
Imagine being told not only when you are about to send an email outside your organization, but also receive a warning when an email looks suspicious. You then have the option to block this user or mark them as safe. Boom! Just like that, you have avoided a scam.