What is the difference between spear phishing and regular phishing?

Why are phishing and spear-phishing such a problem?

“Phishing” and “spear-phishing” are the most common causes of corporate security breaches. A Trend Micro report highlighted the fact that 91% of cyber attacks begin with a spear-phishing email.

You may already know that phishing messages try to trick people into clicking on links or attachments in emails. But you might be surprised at how much of a disconnect there still is between how people are being targeted in phishing attacks and how well they are able to defend against those attacks. According to Beauceron Security’s latest industry survey of over 20,000 individuals, 12% of the respondents did not know what the term “phishing” means.

It’s logical to assume from this finding that an even higher percentage of people probably don’t know what the term “spear phishing” means. So, if at least 10% of individuals aren’t even aware of what phishing is, the business world has a huge vulnerability, because security technologies aren’t able to detect and block every phishing threat.

In fact, data from Click Armor’s own “Can I Be Phished?” online phishing self-assessment indicates that 90% of individuals who have tried the challenge mis-identify at least one in ten potential phishing messages.

Opportunistic versus targeted emails
You can think of “regular phishing” as an opportunistic kind of attack, where the attackers don’t really care who the victims are; only that they can trick enough people to make it worth their while. “Spear-phishing” is more of a targeted attack, where the attacker has a specific goal in mind, and will spend more time setting up the attack to be successful against specific victims.

As an analogy, think of the difference between a hustler that opportunistically cheats people in Three-card Monte card scams, and the elaborate plots and setups in movies like “The Sting”, “Oceans Eleven” or “Inception”. (All three of these are rated in the top 10 “con artist” movies by “screenrant.com”.) Both methods use various kinds of deception techniques. But the higher value the target is, the more effort it takes to succeed, because they usually have stronger defenses in place.

In both regular phishing and spear-phishing messages, their subject lines and bodies and almost always involve impersonation of somebody the target victim trusts. The difference between the two is mostly in how much effort the attacker puts into their research, and the creation of situations where the target will not suspect that they are being tricked.

How do spear-phishing attackers make their messages so convincing?

Just like in popular bank heist movies, there are often multiple steps in an attack, and multiple intermediate targets. The first step in a spear-phishing attack rarely even involves the attacker doing anything suspicious. Since the spear-phishing attacker wants to appear believable to you (assuming you are their target), their first step is to do some research.

We all leave a trail of information behind in almost everything we do, and that’s where the spear-phishing attacker will start. The easiest things for them to learn about you might be from Google searches or searches on social media, to see if your profile is public, and if you have made any public posts, shares or likes.

These bits of information that are publicly accessible can tell an attacker some basic information about you, and sometimes, if you “overshare” or are a somewhat public figure, they can learn a lot about you and the people you normally interact with. People don’t expect that anyone would bother harvesting their social media activities. But that’s exactly what attackers do very easily, and very well.

This kind of research is called “profiling”, and the information gathered this way is called “Open Source Intelligence” or OSINT, for short. In decades past, before social media existed, profiling was often done by attackers who literally searched through the trash bins outside of office buildings. This method was called “dumpster diving”, and even today, dumpster diving is still used to gather information that will help spear-phishing attackers in targeting their victims based on real information they have found that was unprotected. This is why shredding of sensitive office documents is so important.

Convincing spear-phishing message complaining of an overpriced quote

I once received a very well-crafted message that clearly targeted my business, accusing me of having tried to rip off the sender by quoting him higher prices than were in a price list I had sent him. The documents and links used in the message had the name of my business and its proper domain in the “anchor text” – an important term we teach you about in Click Armor’s phishing awarenes training. The tip off for me was that I had never had a price list for that business, and therefore, I could never have sent him one! So, the attacker hadn’t done quite enough research to convince me to click on the link, but I would still call the message shown here a very good spear-phishing attack.

Softening you up with a pretext

Once an attacker has enough information about the people their target trusts, they may create intermediate phishing attacks on those individuals, to build a more elaborate scheme or “pretext”. For example, if the attacker can learn about a company that supplies the victim, they can identify people in the supplier organization, and try to learn more about the victim, or get an introduction to the victim from somebody they trust.
This is called a “stepping stone” attack, and it works very well because most people don’t believe that they are giving the person any information of value that could be abused, or that an attacker would go to so much trouble, just to get an introduction. By the time the target victim gets the spear-phishing attack in this case, they are likely to be acting mostly on the trust that they have in the people whom they “believe” they are dealing with.

Whaling, ice-phishing and watering-holes

There are also variations on spear-phishing attacks, such as “whaling”, “ice-phishing” or “watering-hole” attacks. Whaling attacks target senior executives who may have higher levels of authority and access than other staff, making it more worth-while for an attacker to do research and create more elaborate pretexts.

Ice-phishing attacks take advantage of corporate webmail accounts that have been hacked, just to get access to an account inside the corporate perimeter. The attacker then uses the compromised account to impersonate people within an organization, allowing them to launch attacks on larger targets within the organization.

Watering-hole attacks are messages posted in forums dedicated to subjects that the target victim is known or likely to visit frequently, in hopes of enticing them to engage in discussions to begin a trusted relationship that can later be exploited with spear-phishing emails.

Spotting any kind of phishing attack requires a disciplined routine

The rules of basic phishing email analysis remain basically the same, regardless of whether you are facing a “phishing” attack, or a “spear-phishing” attack. It’s just that you are less likely to follow those rules with somebody you trust. This is why it is extremely important to be always on the lookout, and instinctively ready to defend against messages that seem a little unusual or inconsistent, or from people you have only recently connected with.

Sometimes it is virtually impossible to spot a well-crafted spear-phishing attack, and you might wonder “what’s the point in trying, if they are so good, and nothing is going to stop them”. But the important thing to recognize is that with 20% of employees who don’t know what phishing is, let alone how to analyze a potentially suspicious messages, the attackers don’t really need to go to that much trouble to create a convincing attack.

So, as long as you are in the habit of always checking, you can spot many of them, which will reduce your risk a great deal. Understanding how attackers use social engineering techniques like profiling and pretexting is important for catching the more elaborate attacks where you might be a target, or you might just be a stepping-stone to a larger “spear-phishing” attack.