Spear Phishing vs Phishing: Is there a difference, and how can you avoid them?

Have you ever received an email or text message requesting you to click on a link? They can come from an unknown number or an email address designed to look authoritative but are often not as they seem. If you have been on the receiving end of one of these messages, you will likely be the victim of a phishing attack. A cyber criminal has tried to steal your data and sensitive information. If you did not click on the link, you should be fine, but if you or an employee clicked on a link without following due process, the result could be disastrous for your company. Here is a bit more information on what phishing is and two of the most common types used by cyber criminals.

What is Phishing?

Phishing is commonly delivered in the form of email, designed to trick you into performing a specific action, such as clicking on a link or opening an attachment. However, there is a difference between phishing and spear phishing.

A phishing email is when a potential hacker sends an email to a large number of recipients that they have collected through data breaches. They send emails purporting to be someone else to convince you to click the link or download the attachment. The sender will know that only a small number of recipients will respond. It is like throwing spaghetti at a wall and seeing what sticks.

These sorts of emails can be deceiving, and if you are in a rush, you are more likely to fall victim to the attack. But if you look closely at the email, signs often help you identify whether the email is legitimate. For example, one of the most common phishing emails is when someone impersonates HMRC and lets you know you are eligible for a big tax refund. HMRC (and Neuways) have compiled a list of what to look out for to ensure you are not the victim of a cyber attack or phishing email.

How easy is it to spot a phishing email?  

Most phishing emails will create a sense of fear or urgency to entice their victims to do what is needed. This can be in the illusion of authority (HMRC, Police etc.) or through a fear (missed parcel, deal of a lifetime, etc.) This is a stab in the dark as a company or individual will often realise that they have not ordered a package or been involved with authority; if you click on the link, whether your email or a work email, malware can be downloaded onto your device. That is why it is essential for companies to ensure that all employees follow best practices and due process when it comes to opening emails and clicking on links. It does not matter whom the email is targeting, but if the hacker can infiltrate a company device, they could gain access to a wealth of sensitive data. A data breach is not only catastrophic for your business but is also expensive to manage. Neuways offer Managed Security and Phishing Awareness Training to help companies and employees be aware of the pitfalls of phishing attacks.  

What is a spear phishing attack?  

Spear phishing emails are like phishing emails, but there are some key differences. They are carefully designed to get a chosen and specific recipient to respond to an email or click on a link. The term comes from using a spear to target a particular human or animal to wound them.  

How it works is that a cyber criminal will select an individual target within a company or business and impersonate them. First, they will choose their potential victim by looking up the employees and personnel of the company by using social media and other information which could be public. Then, the hacker will craft an email explicitly tailored to that person using their understanding of their role and likes and dislikes. It can be quite daunting to receive an email like this, as the effort that goes into spear phishing can be exhaustive.  

Spear phishing examples  

Take this scenario, for example. An employee at your company could post on LinkedIn that they are going on a business trip to London. They might receive an email from someone impersonating a staff member from the same organisation but in a different department or higher up. The instinct is to respond to someone with more authority than the recipient, so they might not think it through. An example would be:  

“Hey, whilst in London, we want to treat you to a nice meal. So, click on the link to see their menu, and let us know what you want to have. It’s on us!”  

It would look legitimate, especially if it were coming from your boss. However, employees of any company must stay vigilant when clicking on any links in an email. It is easy to spoof an email to make it look like it came from a boss. Attackers will often utilise similar email layouts to that of the sales department or accounts as they can easily get an email from them to clone. Managed Security Training from Neuways helps businesses improve their security and ensures their employees and company do not fall victim to any phishing attack.  

Please find out more about avoiding phishing attacks and the training that Neuways offers by hosting a Free Webinar about Managed Security and Phishing Awareness Training!