Spear Phishing vs Phishing

Spear phishing or spearphishing is a personalized phishing attack that looks like it is specifically made for every individual user.

spear phishing

You may have heard of phishing and spear phishing (or spearphishing) and today, we want to explain the difference between the two and how you can protect yourself against these modern threats. Cause, unfortunately, these types of attacks have been growing in popularity in recent years.

We’ll first explain what phishing is and then compare it to spear phishing. Let’s get going…

What is phishing?

Phishing, pronounced fishing, is a social engineering technique designed to steal users’ sensitive information such as passwords, credit card details, and more — with the goal of the hacker to financially benefit from the stolen data.

A phishing attack can be carried out via email, telephone, or a text message and typically contains a link to a website controlled by the attackers. Once on that website, the user will be prompted to login using the same credentials he/she uses on popular services like Google, Facebook, LinkedIn, Dropbox and so on. In that sense, the email the user receives tends to look like it has been sent from one of these services.

Hackers have become so sophisticated that they can almost perfectly mimic these popular web services. Unfortunately, that’s not all – as all this could be made to look even more believable. And that’s where spear phishing comes in…

What is the difference between spear phishing and phishing?

Rather than being spread around like any other spam email, spear phishing or spearphishing is a personalized phishing attack which looks like it is specifically made for every individual user. A spearphishing email is made to fit a specific context that makes it that much more believable. Thus spearphishing attacks deliver better results for hackers.

For example, say you are a freelance designer – in a carefully designed spearphishing attack, you would get a request for your services via email. As part of the scheme, the hacker would ask you to upload some of your designs to Dropbox. Then, once you click on the link in the email, you would be sent to a fake Dropbox page where you would be required to login. But this isn’t real Dropbox and instead of signing in, your credentials would be stolen. Heck, you may even be redirected to the real Dropbox website, so that at the end – you don’t even suspect anything.

How hackers perform spear phishing attacks?

Spear phishing requires more work than “standard” phishing attacks. In order to achieve their goals, hackers first turn to social media websites like Facebook and LinkedIn to first get to know their target(s). Then, they can start crafting the “clever” scheme that would trick the victim into sharing his/her credentials.

For instance, we have seen messages such as these starting the spearphishing attacks:

  • “somebody mentioned you [NAME] on Facebook”
  • “I shared a document with you [NAME] on Dropbox.”

Once you click on the link in these messages, you would be led to the page where you would be required to login to Facebook or Dropbox and at that time, the hacker will have your credentials.

How can you protect yourself from spearfishing?

As that’s the case with many other online fraud activities, you will have to use your brain in order to stay safe from spear phishing attacks. There are several rules you should follow:

  • Check out that email header – you’ll want to see that the email is coming from facebook.com rather than facebo0k.com. Hackers want to trick you into believing that their (fake) email is real.
  • Do not click on links in emails from people you don’t know. And the same goes for attachments. This has been said for quite a few times, but we still hear stories of people doing exactly this — and end up as a victim of a phishing attack.
  • Check out URLs – again, there is a difference between dropbox.com and dropb0x.com. Phishing attacks tend to use fake URLs that mimic legitimate websites.
  • Use two-factor authentication for all your important accounts like those for email, social media, online banking, etc. This way, even if a hacker gets your credentials, he/she won’t be able to do much with it.
  • Use strong passwords and use different passwords for different services – even if someone tricks you and gets your credentials for one service, they won’t be able to access other services with that username/password combination. You would be surprised just how many folks have the same username and password across the services they use.

It is said that the only durable protection against (spear)phishing attacks is healthy skepticism and a strong awareness. So before clicking on any link, make sure to ask yourself is this a real email? Have you received something similar in the past? If it’s too strange, chances are – it is a phishing attempt, so just delete it. And keep reading on this subject to stay safe. Good luck!