Spear Phishing: Carefully Targeted, Extremely Damaging and Fast Increasing
It’s a depressingly familiar experience – a message pops into the recipient’s inbox demanding that they log-in to their bank account, office systems or email provider urgently. Badly written, often featuring a generic salutation (“Dear Valued Customer”) and frequently purporting to be from a bank or other organisation that the recipient is not even a customer of, most of these messages are instantly deleted.
But what about the message that seems more authentic and relevant to the recipient? It might not feel right, but would a fraudster go really take the trouble to get so many details right – referring to their bank, their employer, their location and perhaps even a colleague?
The practice of sending fraudulent emails that, unlike most phishing activity, contain precise and usually factually correct details is known as “spear phishing.” Just as a real-life spear fisher targets a particular fish, the electronic variety goes for specific individuals, creating fraudulent emails that look more genuine and convincing than the general phishing variety.
According to the National Cyber Security Centre, which is part of GCHQ, “One of the main differences between a targeted attack and mass generic campaigns, is that a targeted attack may have a specific goal within your organisation. This could be about transferring money, or getting access to an administrator account,” it says. “For example, someone after money might target your finance team by mimicking your normal invoice process.”