Phishing vs. Spear-Phishing

Whether you’re tech savvy or not, you’ve likely heard of phishing. We’ve mentioned spear-phishing in our blog post Do you need to worry about cybercrime? But just how much do you know about these targeted cyberattacks? When should you worry that your personal data has potentially been compromised?  

Let’s start with defining each, and then look at some of the key differences between the two. And what you can do to protect yourself. 

Defining phishing 

Not to be confused with peaceful afternoons wading into a cool river to catch trout, phishing is a type of cyberattack that uses camouflaged emails as the weapon of choice to obtain information. Think of phishing as being like fishing in that the hackers throw out a bit of bait to see what they might reel in. 

The goal of phishing emails is to convince the recipient that the email or website it links to is important and legitimate. It could take the form of an email from someone within the company, or it could look like an important request from your bank. Even large retailers are not immune, as many have reported receiving emails that appear to be from known retailers. Recipients are directed to log into their accounts to resolve a shipping issue. If you’re not paying attention, and have recently placed an online order, you may find yourself logging into the fake website. 

These criminals are looking to establish your trust early on, so they will do their utmost to come across as a plausible person or business.  

These types of cyberattacks date back to the 1990s. Hackers set out to bamboozle AOL users into giving out their account login details. From here, they had access to a world of personal data through the AOL account. 

Phishing cyberattacks remain the most widespread and damaging types of cyberattacks. Phishing techniques and messages have evolved with technology and can be incredibly sophisticated. According to research shared in the Verizon 2021 Data Breach Investigations Report, phishing remains the top culprit for data breaches. 

 More often than not, the phishing email will ask the recipient to download an attachment or click through a link within the email. They can be very clever about spoofing their email addresses and websites so that they appear to be legitimate.  

 That said, several techniques can fall into the phishing category. Broadly speaking, phishing is attempting to get a target to take one of two steps. 

  1. Hand over sensitive and personal information. This information can be used to breach a secure system or financial account. 
  2. Download malware. This devious software will install itself on your device and take over. You may find yourself unable to do anything on your device until you pay the ransom they are demanding of you.

While phishing emails may seem like they are targeting you, most of the time they are being sent blindly to potentially millions of victims to trick them into giving over their details.  

Defining spear-phishing 

Not to be mixed up with diving into the ocean in hot pursuit of the big catch, spear-phishing is a cyberattack that is specifically targeted at an individual or a particular organization. The end goal is to obtain confidential data that can be used for devious and fraudulent purposes. 

Think about the differences between fishing with a net and fishing with a speargun. Phishing will cast a wide net to target a large group of potential targets. Spear-phishing uses just one single spear to target one single fish. 

Spear-phishers may pretend to be someone you work with, a friend, a family member, or a business you’ve had dealings with. All in the name of trying to gain your trust and trick you into handing over your personal information. The emails that you’ll receive are typically well-researched, personal, and thorough. This makes it difficult to distinguish between an email or social media message that may be legitimate and communication that may be fake. 

 Spear-phishers take their time to do a significant amount of research into you, your background, and publicly available information.   

Ultimately, the nefarious goals of both phishing and spear-phishing are the same. To acquire your sensitive and confidential data, for malicious reasons. 

How can you protect yourself? 

There are several steps that you can take to protect yourself from phishing and spear-phishing. 

  1. Verify the sender address of emails you receive before you act on them. 
  2. Hover over URLs in emails. If one is suspect, don’t click on it. 
  3. If you think a friend or someone you trust is sending you a suspicious email, call them or text them to verify that they sent it. 
  4. Don’t share your sensitive data, anywhere. 
  5. Be very cautious about where and how you share your personal information. Even a social media post or a quiz you fill out can provide an opportunity to harvest much of your information. 
  6. Keep your antivirus software up to date. 
  7. Stay alert when it comes to the signs of someone spear-phishing.
      • Urgent demands for information or help.
      • Messages that are worded strangely, from a so-called trusted person.
      • Demands for personal details.

If you suspect you’ve been targeted, whether through phishing or spear-phishing efforts, there are some steps that you can take. 

    • Change your passwords immediately. 
    • Scan your devices with trustworthy security software. 
    • Back up your important data. 

Phishing and its more invasive counterpart spear-phishing don’t appear to be going anywhere any time soon. It’s up to you to take the steps needed to protect yourself and your personal information. 

Resources 

https://us.norton.com/internetsecurity-malware-what-spear-phishing.html 

https://usa.kaspersky.com/resource-center/definitions/spear-phishing 

https://www.umass.edu/it/support/security/protect-yourself-against-phishing-scams-identity-theft 

Ready to learn more? Start a conversation with one of our knowledgeable professionals. And join us on Friday, when we will discuss what digital identity means for a business.