What is Spear Phishing?

Spear phishing vs mass phishing

In contrast to mass phishing, which targets everybody with the same message, spear phishing utilises personal information to make the attack even more persuasive and realistic.

Invoice fraud

Here’s an example of a sophisticated invoice fraud attack

1. Through a breach on a different site, hackers got hold of a Ben’s (a sales person) password (which was reused across multiple accounts).
2. The hackers monitored Ben’s incoming and outgoing emails.
3. As soon as Ben sent the invoice to a customer, the hackers promptly designed a well made copy with new bank account details.
4. The hackers emailed the updated invoice (from Ben’s email account) and informed the customer that the payment details on the other invoice were outdated. This email was then deleted from Ben’s Sent items.
5. Subsequently, the hackers monitored the email inbox to ensure that no inbound emails questioning the change of bank details reached the victim Ben.
6. When the payment was made, the funds were transferred to the hacker’s account and were never recovered.

Targets of spear phishing

So, who are typical targets? Well, usually individuals who hold positions with access to information or funds. As you can see, that can include a majority of company departments!

-Finance and Accounting
-Executive Management
-Human Resources (HR)
-Information Technology (IT)
-Sales and Marketing
-Administrative (Assistants and Receptionists)

What tactics are used?

The image shows five tactics used by spear phishers, especially when it comes to CEO fraud.