Spear Phishing

What is Spear Phishing, how it work, characteristics and example of it. How can you protect from it.

Spear phishing

Spear phishing, is one form of phishing attack that make use of an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.

Spear phishing process

An email arrives, apparently from a trustworthy source, but instead it leads the unknowing recipient to a bogus website full of malware. These emails often use clever tactics to get victims' attention. For example, the FBI has warned of spear phishing scams where the emails appeared to be from the National Center for Missing and Exploited Children.

It can be also pretend from your own company or national security authority, the purpose is want you to click and perform action.

Spear phishing characteristics

The difference between spear phishing and a general phishing attempt is subtle. A regular phishing attempt appears to come from a large financial institution or social networking site. It works because, by definition, a large percentage of the population has an account with a company with huge market share.

In spear phishing, an email appears to come from an organization that is closer to the target, such as a particular company. The hacker's goal is to gain access to trusted information. This is often as simple as looking up the name of a CEO from a corporate website and then sending what appears to be a message from the boss to email accounts on the corporate domain.

Spear phishing scam examples

It got endless of live example existed, what you need just spend sometime to search, below provide 5 examples.

Ubiquiti Networks Inc

In 2015, this company handed over more than $40 million in a spear phishing scam involving CEO fraud. Emails seemingly sent from senior executives directed employees to send funds from a subsidiary in Hong Kong to accounts belonging to third parties. The emails actually came from the fraudsters and the third-party accounts belonged to them.


This online marketing company was targeted in 2011 as part of a scheme to harvest customer credentials, possibly for use in other spear phishing attempts.

With data being the bread-and-butter of Epsilon’s business, it’s easy to see why it would make an ideal target.

Reports indicate spear phishing emails might have contained a link to a site that downloaded malware, which in turn disabled antivirus software, provided remote system access, and could be used to steal passwords. These emails were sent to different marketing companies, but always targeted employees responsible for email operations.


PayPal users seem to be the target of endless general phishing attempts. The huge number of users means that mass general emails will have a higher chance of success. However, some PayPal users have been hit with more targeted spear phishing emails. These actually address the customer by name, making them seem more legitimate than your standard phishing email.


Amazon is another company that has so many users, the chances of hooking one through a general phishing attempt is worth the effort. But Amazon users should watch out for spear phishing attacks, too. A huge targeted attack occurred in 2015 when up to 100 million emails were pushed out to Amazon customers who had recently placed an order. The emails looked real, with a title of “Your order has dispatched,” followed by an order code. But instead of a message, the email only included an attachment. Opening the attachment ultimately led some recipients to install Locky ransomware, which involved a bitcoin ransom.

Other common spear phishing scam examples

Aside from those specific cases, here are some more general example scenarios you might come across. These all use information that could be gleaned from social media posts, especially if you’re prone to divulging information about where you shop, eat, bank, etc.

  • An email from an online store about a recent purchase. It might include a link to a login page where the scammer simply harvests your credentials.
  • An automated phone call or text message from your bank stating that your account may have been breached. It tells you to call a number or follow a link and provide information to confirm that you are the real account holder.
  • An email stating that your account has been deactivated or is about to expire and you need to click a link and provide credentials. Cases involving Apple and Netflix were recent sophisticated examples of this type of scam.
  • An email that requests donations to a religious group or charity associated with something in your personal life.

When you think about how much information can be found on social media, it’s easy to see how someone could quickly earn your trust by simply stating a common interest or posing as a company you have a history with.

Spear Phishing and Whaling

Phishing attacks and whaling attacks are both online attacks on users that aim to acquire sensitive information. Phishing is a broader term for any attempt to fool victims into sharing confidential information such as usernames, passwords, and financial details for malicious purposes. During typical phishing attacks, cybercriminals will send fraudulent emails to large amounts of victims in hopes that a small percentage will be successful. Conversely, whaling is a special type of phishing that targets a high-ranking individual such as an executive rather than a large group of victims. Whaling emails are sent to a single person or small group of targets instead of the mass distribution techniques used in typical phishing attacks, and whaling attacks further differ from phishing attacks in that they are far more personalized and more closely imitate legitimate emails.

Whaling is a form of spear-phishing, a form of phishing which targets a particular individual to gain sensitive personal or business information. The key difference between whaling and spear-phishing is that whaling attacks target specific, high ranking victims within a company, whereas a spear-phishing attacks can be used to target any individual. Both spear-phishing and whaling take much more time and effort to execute than large scale phishing attacks because the attackers need to gather personal details on their targets and make emails seem as legitimate as possible.

  • Be cautious about all communications you receive. If it appears to be a phishing communication, do not respond. Delete it. You can also forward it to the you national cybersecurity authority such as computer emergency response team (CERT) for taking further action
  • Do not click on any links listed in the email message, and do not open any attachments contained in a suspicious email.
  • Do not enter personal information in a pop-up screen. Legitimate companies, agencies, and organizations don't ask for personal information via pop-up screens.
  • Install a phishing filter on your email application and also on your web browser. These filters will not keep out all phishing messages, but they will reduce the number of phishing attempts. At least it serve the purpose for counter measure protection for your users.
  • User Education: Educate users to stop and think before they act on an email. There are numerous online training courses that employees can take to help them identify suspicious emails. Periodically send test phishing emails to keep employees on their toes. Repeat regularly as scamming tactics change. It is typical course and topic cover under end user security awareness.
  • Endpoint Protection: Ensure anti-malware programs are updated regularly. Make sure operating systems and applications are up-to-date to avoid exposure to vulnerabilities.
  • Network Protection: Ensure anti-malware is up-to-date on server systems, deploy a secure email gateway, and implement email authentication methods such as Sender Policy Framework and DMARC to protect against email spoofing. In addition, it is important to supplement with a more advanced email threat protection solution that is able to detect spear phishing and business email compromise emails that traditional solutions miss.
  • Hiring professional to conduct Ethical Hacking or Penetration Testing (pentesting) and simulate one round of the phishing attack on your organization, learn from the lesson and carry out what needed to be done to mitigate the risk from the future.