All about spear-phishing emails

It seems there’s no shortage of cybersecurity threats that cautious individuals need to guard against. Phishing is on the most common methods that criminals use for breaching accounts, stealing credentials and compromising data, and there’s no shortage of variations on this technique, including SMS (short message service) phishing, or smishing, and spear-phishing, a kind of targeted phishing strategy. Criminals can use phishing techniques to trick you into handing over access, information and money.

Expect scammers to use compromised information in targeted campaigns.

How do spear-phishing attacks differ from standard phishing attacks?

Spear-phishing bears many similarities to traditional phishing techniques, but it’s targeted at specific individuals.

Standard phishing

Standard phishing is essentially a numbers game. Scammers know that email clients will block a proportion of the messages they send and that many others who do receive and view the fraudulent communications won’t fall for the bait. In a standard phishing ploy, those responsible for executing the attack simply hope they sent it to enough people that they increase the odds of at least a few people falling for the trick.


Spear-phishing, on the other hand, is an exercise in precision. This attack sometimes succeeds because it relies on sending a smaller number of carefully crafted, personalized messages to a select group of people. This is what makes spear-phishing harder to spot. Bad actors seek to remove as many red flags as possible and tailor their message specifically to you in order to convince you it’s legitimate.

Examples of spear-phishing

When spear-phishing succeeds, it can have a huge impact.

According to the Naples Daily News, the city of Naples, Florida, fell prey to a spear-phishing email that resulted in a loss of $700,000. The criminals impersonated a real contractor currently employed by the city and requested payment, which was delivered.

Also a press release from the U.S. Attorney’s Office for the Southern District of California reported apprehending a criminal who had fled the country after he and a partner impersonated a computer company contracted by multiple universities. The team had bilked two schools out of more than $850,000. The release warned that spear-phishing was “on the rise, especially for universities, local governments and other entities with procurement paperwork available online.”

The increasing presence of telework can also lead to an uptick in spear-phishing campaigns. In one such example, as Military.com reported, individuals from the Department of Defense experienced a surge of spear-phishing attempts.

Top advice for protecting yourself from spear-phishing emails

There are measures you can take to protect yourself, and your organization, from targeted spear-phishing attacks. Expect scammers to use publicly available or compromised information in targeted campaigns.

The FBI recommended enabling automatic cybersecurity updates, verifying communications in person or over the phone and simply refusing to click anything in an email if you have any doubts about its authenticity at all.

A Microsoft security blog also encouraged readers to educate users about how to spot and report phony emails, including looking for incorrect email addresses and language that is inconsistent with normal communications from the sender. Also, be skeptical of communications that seek to create a sense of urgency.

If you need further help improving cybersecurity measures for your company, reach out to Total Defense today for additional information.