Cyberheist Snippet 3: Spear-Phishing Definition



As we mentioned in Cyberheist Snippet 1 and Cyberheist Snippet 2, we're working on a book here at KnowBe4.com, and it features Cyberheist as the first word in its title. Here's a third snippet from the book, this one taken from Chapter 7 "How ScamsTarget Victims: Spear Phishing, Whaling, and More." It defines a targeted scam technique called spear phishing that can be surprisingly successful when well-designed and carefully deployed.

Where general phishing attacks target populations with specific types of accounts, such as individuals with Yahoo! or Gmail email accounts, or individuals who bank at Wells Fargo or Citibank, spear phishing aims to collect information from within one specific organization or company. In these kinds of attacks, spear phishing messages may appear to originate from a large or well-known company or Web site on the order of eBay, PayPal, or LinkedIn. Sometimes in the most customized versions, messages that hit a user's inbox may appear to come from a co-worker or a member of the management team at the victim's own company.

Spear phishing attacks usually take advantage of publicly accessible company websites that offer contact information for employees, along with additional information about the target company or organization. Taking advantage of details available from news stories, press releases, newsletters, and other available information, the attacker crafts an email that appears to originate from someone inside the organization with a legitimate right to ask for confidential information. It might be an HR secretary, a system administrator, or a first- or second-level manager in a parallel organizational unit.

Spear phishers usually request usernames and passwords, or ask their victims to click a link that will install drive-by malware downloads on their PCs. Then if one employee falls for this ploy, the spear phisher can impersonate their victim and start working their way up the food chain at the target organization. Ultimately, the spear phisher will hit paydirt and obtain administrative passwords, bank account information, access to intellectual property, or other confidential data.

The occasional but dramatic successes in spear phishing result from the organizational knowledge and details that attackers use to make themselves appear both known and trustworthy. Information within the message looks legitimate and the request seems valid, so some recipients will fall for the ploy, and either provide the requested details or visit the phishing site and fall prey to drive-by downloads. That probably explains why spear phishing attacks often enjoy a higher success rate than the 1-in-5 ratio so common for more typical or general phishing attacks.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/phishing-security-test-offer



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews