While some phishing scams get sent to millions of people in the hopes that someone will bite, a spear phishing attack focuses on a single target, and can be very convincing.
While phishing is a broad term for attacks that aim to trick a victim into sharing sensitive information, spear phishing is a phishing attack that goes after a single target, which can be an individual, organization, or business.
Spear phishing attacks are particularly effective because the attacker can use information about the victim, oftentimes public information found online, to create a convincing ruse.
A common spear phishing tactic is for the attacker to pose as someone in a position of authority, because people are much more likely to respond to an authority figure.
Here is an example:
Joe is an executive assistant to a CEO named Mary. One day when Mary is on vacation abroad, Joe gets an urgent email from her. The email states that her luggage and phone have been stolen. She says she has no money or passport and needs him to send over her PayPal credentials ASAP so that she can book a hotel and buy a flight home. Joe might see this harrowing message from his employer and immediately send over the requested information.
This sort of "I'm in trouble and need money" request from a superior is a common spear phishing script. The attacker could be spoofing Mary's email, as well as sending the email to dozens of different combinations of Joe's name and initials in hopes of finding the correct one. The attacker may also have learned about Mary's vacation plans by following her on Twitter. Combining all of these tools, the attacker can devise a very convincing con.
A notable real-life example of this happened in 2016, when an attacker posed as the CEO of Snapchat and was able to convince an employee to hand over confidential payroll information.
Spear phishing attacks can also leverage information from data breaches. Another example:
Steve buys a computer at a major online retailer, but a few weeks later the retailer has a data breach. Although sensitive data like credit card numbers and passwords were hash-protected, customer email addresses and order histories were leaked.
A few days later, Steve gets an email from the manufacturer of his new computer announcing that his model is being recalled, and providing a link to receive a refund. The link takes Steve to a fake version of the manufacturer's website and provides a form for Steve to enter his credit card number for the refund. The attacker used some fairly harmless data to gain Steve's confidence and trick him into handing over his financial information.
Whaling is a spear phishing attack that targets a very high-profile victim, usually a top executive at a company or a celebrity. Whaling attacks tend to be more sophisticated, and in many cases attackers will first carry out spear phishing attacks on smaller targets, such as employees of the "whale," in order to gain access to their ultimate victim.
While on vacation, Mary the CEO gets an email or call from someone she knows on her IT team letting her know that they are enduring a cyber attack and requesting access to her work computer and her accounts to ensure that company data can be secured. It is possible that an attacker compromised her IT team in order to gain Mary's trust, in hopes of convincing her to hand over her credentials.
Since spear phishing involves social engineering, there are no foolproof ways to protect against these kinds of attacks. However, a number of precautions can be taken to prevent and mitigate attempts at spear phishing. These include: