Spear Phishing: Carefully Targeted, Extremely Damaging and Fast Increasing

It’s a depressingly familiar experience – a message pops into the recipient’s inbox demanding that they log-in to their bank account, office systems or email provider urgently. Badly written, often featuring a generic salutation ("Dear Valued Customer") and frequently purporting to be from a bank or other organisation that the recipient is not even a customer of, most of these messages are instantly deleted.

But what about the message that seems more authentic and relevant `to the recipient? It might not feel right but would a fraudster go really take the trouble to get so many details right – referring to their bank, their employer, their location and perhaps even a colleague? The practice of sending fraudulent emails that, unlike most phishing activity, contain precise and usually factually correct details, is known as “spear phishing.” Just as a real-life spear fisher targets a particular fish, the electronic variety goes for specific individuals, creating fraudulent emails that look more genuine and convincing than the general phishing variety.

Rather than attempt to train staff to be alert for both regular and spear phishing separately, organisations should talk to them about factors such as classic influence techniques – these include messages with themes of urgency, threat and authority. These themes are common to both spear and ordinary phishing emails.

As spear phishing becomes sophisticated and widespread it’s essential that organisations take a multi-layered approach to protecting themselves. This means buying in expertise in staff training, cyber security and monitoring from an external source that specialises in this growing risk.