What is spear phishing?
A spear phishing attack tries to trick a specific individual or group of individuals into taking actions that harm their organization.
Subscribe to the IBM Newsletter Explore IBM Security QRadar
two engineers working on the computer
What is spear phishing?

Spear phishing is a type of phishing attack that targets a specific individual or group of individuals within an organization, and tries to trick them into divulging sensitive information, downloading malware, or unwittingly sending our authorizing payments to the attacker.

Like all phishing scams, spear phishing can be conducted via email, text message or phone calls. The difference is that instead of targeting thousands or millions of potential victims with blanket ‘bulk phishing’ tactics, spear phishers target specific individuals or groups of individuals—e.g., a company’s regional sales directors—with personalized scams based on extensive research.

According to IBM’s Cost of a Data Breach 2022 report, phishing was the second most common cause of data breaches in 2022. McKinsey notes that the number of spear phishing attacks increased nearly sevenfold following the start of the pandemic (link resides outside ibm.com). Cybercriminals are took advantage of the increasing number of remote workers, who may be more susceptible to phishing scams due to lax security hygiene and a habit of collaborating with colleagues and bosses primarily through email and chat apps.

The IBM report also found that while phishing attacks had the highest average cost per breach at USD 4.91 million, the costs of spear phishing attacks can significantly exceed even that amount. For example, in one high-profile attack spear phishers stole more than USD 100 million from Facebook and Google by posing as legitimate vendors and tricking employees into paying fraudulent invoices (link resides outside ibm.com).

How spear phishing attacks work

In a classic bulk phishing attack, hackers craft fraudulent messages that appear to come from well-known businesses, organizations or even celebrities. Then they ‘spray and pray,’ sending these phishing messages indiscriminately to as many people as possible and hoping at least a handful will be tricked into giving up valuable information like social security numbers, credit card numbers or account passwords.  

Spear phishing attacks, on the other hand, are targeted attacks aimed at specific individuals who have access to specific assets.

Setting an objective

Most spear phishing attacks aim to steal large sums of money from organizations—by tricking someone into making a payment or wire transfer to a fraudulent vendor or bank account, or by tricking them into divulging credit card numbers, bank account numbers or other confidential or sensitive data.

But spear phishing campaigns can have other damaging objectives:

  • Spreading ransomware or other malware—for example, the threat actor may send malicious email attachment, such as a Microsoft Excel file, that installs malware when opened.
     

  • Stealing credentials, such as usernames and passwords, that the hacker can use to stage a larger attack. For example, the hacker might send the target a malicious link to a fraudulent ‘update your password’ web page.
     

  • Stealing personal data or sensitive information, such as customers’ or employees' personal data, corporate financials or trade secrets.

Choosing the target(s)

Next, the spear phisher identifies a suitable target—a person or group of people with direct access to the resources the hackers want, or who can provide that access indirectly by downloading malware.

Often spear phishing attempts target mid-level, low-level or new employees with elevated network or system access privileges, who may be less rigorous in following company policies and procedures. Typical victims include financial managers authorized to make payments, IT administrators with administrator-level access to the network, and HR managers with access to employees’ personal data. (Other types of spear phishing attacks target executive-level employees exclusively; see ‘Spear phishing, whaling and BEC,' below.)

Researching the target

The attacker researches the target for information they can use to impersonate someone close to the target—a person or organization the target trusts, or someone to whom the target is accountable.

Thanks to the amount of information people share freely on social media and elsewhere online, cybercriminals can find this information without too much digging. According to a report from Omdia hackers can craft a convincing spear phishing email after about 100 minutes of general Google searching (link resides outside ibm.com). Some hackers may break into company email accounts or messaging apps and spend even more time observing conversations to gather more detailed information.

Crafting and sending the message

Using this research, spear phishers can create targeted phishing messages that appear credible, from the trusted source or person.

For example, imagine ‘Jack’ is an accounts payable manager at ABC Industries. By simply looking at Jack’s public LinkedIn profile, an attacker might find Jack’s job title, responsibilities, company email address, department name, boss’s name and title, and business partners’ names and titles—and then use these details to send him a very believable email from his boss or department head:

Hi Jack,

I know you process the invoices from XYZ Systems. They just let me know they’re updating their payment process and need all future payments to go to a new bank account. Here’s their latest invoice with the new account details. Can you send the payment today?

The email typically includes visual cues that reinforce the impersonated sender’s identity at a glance, such as a spoofed email address (e.g., showing the impersonated sender’s display name but hiding the fraudulent email address), Ccs to similarly spoofed coworker emails, or an email signature featuring the ABC Industries company logo. Some scammers are able to hack into the impersonated sender’s actual email account and send the message from there, for the ultimate in authenticity.

Another tactic is to combine email with text message phishing (called SMS phising or smishing) or voice phishing (called vishing). For example, instead of attaching an invoice, the email might instruct Jack to call XYZ Systems accounts payable department, at a phone number staffed by a fraudster.

Spear phishing attacks and social engineering

Spear phishing attacks make heavy use of social engineering techniques—tactics that use psychological pressure or motivation to trick or manipulate people into taking actions they shouldn’t and ordinarily wouldn’t take.

Impersonating a high-level company official, as in the spear phishing email above, is one example. Employees are conditioned to respect authority and are subconsciously scared not to follow an executive’s orders, even if the orders are out of the ordinary. Spear phishing attacks rely on other social engineering techniques including:

  • Pretexting—fabricating a realistic story or situation that the target recognizes and can relate to, e.g., ‘your password is about to expire...
     

  • Creating a sense of urgency—e.g., posing as a vendor, and claiming payment for a critical service is late

  • Appealing to emotion or subconscious motivators—trying to trigger fear, guilt, or greed in the target, referencing a cause or event the target cares about, or even just being helpful (e.g., 'here’s a link to a web site that sells those computer parts you’ve been looking for.’).

Most spear phishing campaigns combine multiple social engineering tactics—for example, a note from the target’s direct manager that reads, ‘I’m about to jump on a plane and my battery is dying, please help me out and rush this wire transfer to XYZ Corp. so we don’t have to pay a late fee.’

Learn more about social engineering
Spear phishing, whaling and BEC

While any phishing attack that targets a specific individual or group is a spear phishing attacks, there are some notable subtypes.

Whaling (sometimes called whale phishing) is spear phishing that targets the highest-profile, highest-value victims—often board members or C-level management, but also non-corporate targets such as celebrities and politicians. Whalers are after quarry only these targets can provide—very large sums of cash, or access to highly valuable or highly confidential information. Not surprisingly, whaling attacks typically require more detailed research than other spear phishing attacks.

Business email compromise (BEC) is a spear phishing aimed specifically at robbing organizations. Two common forms of BEC include:

  • CEO fraud. The scammer impersonates a C-level executive’s email account, or hacks into it directly, and sends a message to one or more lower-level employees instructing them to transfer funds to a fraudulent account or make a purchase from a fraudulent vendor.
     

  • Email account compromise (EAC). The scammer gains access to the email account of a lower-level employee—e.g., a manager in finance, sales, R&D—and uses it to send fraudulent invoices to vendors, instruct other employees to make fraudulent payments or deposits, or request access to confidential data.

Successful BEC attacks are among the costliest cybercrimes. In one of the best-known examples of BEC, hackers impersonating a CEO convinced his company's finance department to transfer EUR 42 million to a fraudulent bank account (link resides outside ibm.com).

Taking action against spear phishing

Phishing attacks are among the most difficult cyberattacks to combat, because they can’t always be identified by traditional (signature-based) cybersecurity tools; in many cases, the attacker need only get past ‘human’ security defenses. Spear phishing attacks are especially challenging because their targeted nature and personalized content make them even more convincing to the average person.

However, there are steps organizations can take to help mitigate the impact of spear phishing, if not prevent spear phishing attacks altogether:

Security awareness training. Because spear phishing takes advantage of human nature, employee training is an important line of defense against these attacks. Security awareness training may include

  • Teaching employees techniques for recognizing suspicious emails (e.g., checking email sender names for fraudulent domain names)
     

  • Tips on how to avoid ‘oversharing’ on social networking sites
     

  • Good working habits—e.g., never opening unsolicited attachments, confirming unusual payment requests through a second channel, phoning vendors to confirm invoices, navigating directly to websites instead of clicking links within emails
     

  • Spear phishing simulations where employees can apply what they learn.

Multi-factor and adaptive authentication. Implementing multi-factor authentication (requiring one or more credentials in addition to a username and password) and/or adaptive authentication (requiring additional credentials when users log in from different devices or locations) can prevent hackers from gaining access to a user’s email account, even if they are able to steal the user’s email password.

Security software. No single security tool can prevent spear phishing altogether, but several tools can play a role in preventing spear phishing attacks or minimizing the damage they cause:

  • Some email security tools, such as spam filters and secure email gateways, can help detect and divert spear phishing emails.
     

  • Antivirus software can help neutralize known malware or ransomware infections that result from spear phishing.

  • Secure web gateways and other web filtering tools can block the malicious websites linked to in spear phishing emails.

  • System and software patches can close technical vulnerabilities commonly exploited by spear phishers.
Related solutions
IBM Security® QRadar® SIEM

Catch advanced threats that others simply miss. QRadar SIEM leverages analytics and AI to monitor threat intel, network and user behavior anomalies and to prioritize where immediate attention and remediation are needed.

Explore QRadar SIEM solutions
IBM Security Trusteer Rapport®

IBM Trusteer Rapport helps financial institutions detect and prevent malware infections and phishing attacks by protecting their retail and business customers.

Explore Trusteer Rapport
IBM Security QRadar EDR

Secure endpoints from cyberattacks, detect anomalous behavior and remediate in near real time with this sophisticated yet easy-to-use endpoint detection and response (EDR) solution.

Explore QRadar EDR
Resources Keep current on phishing

Keep current on phishing news, trends and prevention techniques at Security Intelligence, the thought leadership blog hosted by IBM Security.

What is ransomware?

Ransomware is malware that holds victims' devices and data hostage, until a ransom is paid.

Cost of a Data Breach

Now in its 17th year, this report shares the latest insights into the expanding threat landscape, and offers recommendations for saving time and limiting losses.

Take the next step

Cybersecurity threats are becoming more advanced and more persistent, and demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM makes it easy to remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others simply miss.

Learn more about QRadar SIEM Request a QRadar SIEM demo