Phishing vs. Spear Phishing (and how to prevent both)

Data protection has never been more important for businesses of every size. This is because of the massive rise in costly (£160 000 on average) cyber attacks. Of these attacks, phishing and spear phishing are among the most common – and effective.

Roughly 2 out of 3 SMEs suffered some degree of cyber attack last year. Nevertheless, roughly the same number of business leaders basically say the worst could never happen to them.

If you want to avoid the potentially business-ending results of a successful cyber attack (few SMEs can happily absorb a £190 000 loss), phishing emails are something you really need to know about.

Because over 9 out of 10 of cyber attacks start with an email. And of the people who fall for them, 15% will fall for them again.

For business leaders who have remote working teams or little standardisation in the way they work, the difference between phishing and spear phishing – and how to prevent them – should be high on the list of things to get a handle on:

What is phishing?

Phishing emails are designed to make you or your team member enter things like your login or bank card details.

To do this, the sender creates a fake email that looks like it’s from a source you would trust. This could be your bank (or a bank), a well-known brand like Amazon or Netflix, or a business like PayPal.

  • The goal with phishing is to cast a wide, shallow net
  • There isn’t much specificity in the “bait” (the detail in the fake email)
  • What there is is mass volume (a phishing email like this will sent to thousands or millions of email addresses)

You’ll almost certainly have seen crude examples of this (possibly several a day). They may contain terrible grammar or appear slightly bizarre. Who could possibly fall for this?

Well, not many people. But it only takes one for the attacker to make some money.

More importantly, as our email junk folders have begun to fill with bequests from mysterious princes, cyber criminals have had to innovate. Spear phishing is the result.

What is spear phishing?

Spear phishing is a phishing attempt that is precisely targeted at one organisation – or even one specific individual.

To do this, the attacker carefully crafts a single fake email based on some degree of research of the target organisation and individuals within it.

  • Spear phishing targets are carefully chosen
  • They contain very specific, realistic, and relevant details
  • Appear to be from trusted individuals who you may know

Spear phishing emails are much more difficult to spot. They are often designed to extract sensitive information about your company or individuals on your team. Others install malware that reports on what you and your team are doing every day.

Highly placed people at some of the most tech-forward places in the world have fallen for spear phishing attacks. Even those working for companies like Google and Apple themselves.

Why spear phishing is so effective

Unlike the blunderbuss approach of wide-broadcast phishing emails, spear phishing emails are like a sniper rifle aimed at individuals. They may have been researched using the very information you have put out into the world via social media to promote yourself or your business.

For example, an email could be from the managing director of your business (from you, if you’re the MD). Perhaps your team receives an email saying you’re considering using some new software. Please check it out (using your company login details, which the attacker then steals).

A spear phishing email may also contain:

  • Branding elements and fonts that are correct for your business
  • Industry phrases and jargon (and good grammar and spelling)
  • A fairly standard title that isn’t the usual “princely request” or bank card reset
  • A sender that appears to be a real company email address
  • A hyperlink that disguises the otherwise suspicious

Even a reasonably realistic-looking email like this does not take long to make. All you need is a social media account, a way to find the person’s email (usually easily available or searchable), and a business that hasn’t quite ironed out its email security.

How to prevent phishing attacks

There are five fairly simple things you can do to cut down on spear phishing attempts:

  1. Talk to your Managed Service Provider about giving your team proper cybersecurity training
  2. Go into your Domain Name Service (DNS) and email and turn on the anti-spoofing tools (these go by catchy acronyms like DMARC, SPF, and DKIM)
  3. Microsoft 365 has its own anti-phishing tool – it’s called Advanced Threat Protection – and an email encryption tool. Turn both of these on.
  4. Block emails from non-secure protocols (IMAP, SMTP, POP)
  5. Use Multi-Factor Authentication as a matter of course across your organisation

If you’re not sure about any of this, why not talk it over with an expert?

Have you thought about outsourcing your IT? Dial A Geek has already helped over 1000 companies in Bristol and across the UK implement cyber security so they are free to grow their businesses.

Set up a cost and commitment-free chat with Chief Geek Gildas Jones today to walk through just how easy it can be.

ALL ARTICLES