Spear phishing

Spear phishing is an attack that relies heavily on social engineering. Unlike traditional phishing attacks, which target a large number of users without any real limits or pre-selection, a spear phishing attack requires much more preparation.

This preparation is mainly based on information that the attacker will be able to gather through a variety of methods, which are summarised above under the term ‘social engineering’. For example, the attacker will look at the victim’s social networks to find out where they work and who their bosses are, in order to make the attack as realistic as possible. It is this increased realism, compared to a traditional phishing campaign, that allows the victim’s vigilance to be lulled into taking a specific action.

In the vast majority of cases, the attack consists of an email sent by the attacker pretending to be a colleague or manager asking the victim to follow instructions. A fairly common request is for the victim to make a transfer to a bank account within a very short period of time, or to provide their login details by impersonating the organisation’s IT department.