Skip to content

Spear Phishing: What Is It and Why You Should Care

Did you know… 88% of organizations have reported the occurrence of Spear Phishing attacks in 2019

Have you got any e-mails or any other type of suspicious digital communication where:

  • The beginning of the body of the text was personalized with your name?
  • There were references to friends, colleagues, or people in your organization?
  • There were references to projects or proposals where you were involved?

Spear Phishing is directed to specific targets, whether they are individuals or organizations.
It usually occurs via e-mail and aims to lead victims to disclose sensitive data or access malware. For the communication to appear reliable, attackers extract and use information available online, concerning the organization or people involved in the communication, therefore creating a false sense of credibility and security in the recipients.

Learn how to act to protect yourself:

1. Be aware of fake senders
  • Always analyse the sender of the communication your received, because there’s a chance that the communication has been tampered to look like a communication from a trusted entity, partner, or user
  • Look for subtle manipulations in the sender, such as replacing the letter “o” by the number “0”, the letter “w” by the Russian alphabet letter “ш”, or the use of the letter “I” instead of the letter “l”
  • Make sure that the top domains are the domains of the organization that sent the communication

2. Be thorough and think before you act

  • Reflect about what is being asked. In the event it involves any sensitive personal or professional information, never disclose such information via e-mail
  • Never make any type of payment, even if the request seems urgent. In a work setting, report and review this type of situations with the financial department of your organization
  • Validate the need for these requests made via e-mail by using an alternative mean, whenever possible
  • In case of doubt, do not follow the instructions in the suspicious communication and report it to the security team of your institution, avoiding risks
3. Step up your attention to content, software, and devices
  • Do not click on links, visit, or log into websites that are embedded in the e-mail body without making sure they are secure (learn how in point 2)
  • Do not download attachments from suspicious e-mails to your devices. Malware can be attached under different formats and also as links, often from legitimate websites, because they are less likely to be blocked by the technical controls that are implemented
  • Keep security software of professional and personal devices up to date, therefore shielding them from a wide variety of threats
  • Update your credentials regularly and be strict about password quality, therefore decreasing the risk of your account being used to enable this type of attack
  • At the organizational level, implement technical controls for the inspection and filtering of e-mails in e-mail servers and endpoint devices