What’s the Difference Between a Phishing and Spear Phishing Email?

Many business execs are being dogged by this annoying and oftentimes devastating cyber-scam. what’s the difference between a phishing and spear phishing email, and what can you do about it? There are ways to combat these variants on a common email scam, and KalioTek is here to tell you what it is, how to spot it, and how to beef up your computer security protocols accordingly.

What is Phishing?

Phishing is one of the easiest forms of cyberattack for a criminal to carry out, but one which can provide these crooks with everything they need to infiltrate every aspect of their targets’ personal and working lives.

Usually carried out over email – although the scam has now spread to social media, messaging services and apps – a basic phishing attack attempts to trick the target into doing what the scammer wants. That might be handing over passwords to make it easier to hack a company, or altering bank details so that payments go to fraudsters instead of the correct account.

The aim and the precise mechanics of the scams vary. Victims might be tricked into a clicking a link (aka clickbait) through to a fake webpage with the aim of persuading them user to enter personal information. Other campaigns involve tricking users into downloading and installing malware – for stealthy approach to theft – or inadvertently installing ransomware, providing the attacker with much more immediate profit.

More complex phishing schemes can involve a long game, with hackers using fake social media profiles, emails and more to build up a rapport with the victim over months or even years in cases where specific individuals are targeted for specific data which they would only ever hand over to people they trusted.

That data can be as simple as an email address and password, on up to financial data such as credit card details or online banking credentials, or even personal data such as date of birth, address, and social security number.

In the hands of hackers, all of that can be used to carry out fraud, be it identity theft or using stolen data to buy things or even selling people’s private information on the dark web, as in the case of the recent Equifax hack. In some cases, it’s done for blackmail, or to embarrass the victim.

In other cases, phishing is one of the tools used for espionage or by state-backed hacking groups to spy on opponents and organizations of interest.

Act now! KalioTek offers superior email, computer, and network security monitoring tools to help you greatly combat the menace of email phishing attacks. Call us at (408) 550-8000, or email us at sales@kaliotek.com for more information.

What is Spear Phishing?

Spear phishing is a variation on phishing in which hackers send emails to groups of people with specific common characteristics or other identifiers. Spear phishing emails appear to come from a trusted source but are designed to help hackers obtain trade secrets or other classified information.

Techopedia explains Spear Phishing:

“The difference between spear phishing and a general phishing attempt is subtle. A regular phishing attempt appears to come from a large financial institution or social networking site. It works because, by definition, a large percentage of the population has an account with a company with huge market share.

In spear phishing, an email appears to come from an organization that is closer to the target, such as a particular company. The hacker’s goal is to gain access to trusted information. This is often as simple as looking up the name of a CEO from a corporate website and then sending what appears to be a message from the boss to email accounts on the corporate domain.”

How does a phishing attack work?

This type of attack attempts to trick a user into entering personal details or other confidential information, with email being the most common method of carrying-out these attacks.

The sheer number of emails sent every single day means that it’s an obvious attack vector for cyber criminals. It’s estimated that 3.7 billion people send around 269 billion emails every single day.

Researchers at Symantec suggest that almost one in every 2,000 of these emails is a phishing email, meaning around 135 million phishing attacks are attempted every day.

Most people – especially busy CEOs and other executives – simply don’t have the time to carefully analyze every message which lands in their inbox, and it’s this oversight which phishers look to exploit in multiple ways.

These email scams vary in their targets – some are aiming at unwary consumers. Here, their email subject line will be designed to catch the victim’s eye – common phishing campaign techniques include offers of prizes won in fake competitions such as lotteries or contests by retailers offering a “winning voucher”.

In this case, to ‘win’ the prize, the victims are asked to enter their details such as name, date of birth, address and bank details in order to claim. Obviously, there’s no prize and all they’ve done is put their personal details into the hands of hackers.

Other Types of Phishing Attacks

While email is still a large focus of attackers carrying out phishing campaigns, the world is very different from how it was when phishing first started. No longer is email the only means of targeting a victim as the rise of mobile devices, social media and more have provided attackers with a wider variety of vectors to use for attacking victims.

Social Media Phishing

With billions of people around the world using social media services such as Facebook, LinkedIn and Twitter, attackers are no longer restricted to use one means of sending messages to potential victims.

Some attacks are simple and easy to spot: A Twitter bot might send you a private message containing a shortened URL which leads to something bad such as malware or maybe even a fake request for payment details.

And, there are other attacks which play a longer game. A common tactic used by phishers is to pose as a person – often an attractive woman – using photos ripped from the internet, be it stock imagery or someone’s public profile. Often, these are just harvesting Facebook ‘friends’ for some future nefarious means and don’t actually interact with the target.

However, sometimes the similar tactic of catphishing comes into play, with the attacker establishing a dialogue with the (often male) target – all while posing as a fake persona.

SMS and Mobile Phishing

The rise of mobile messaging services – Facebook Messenger and WhatsApp in particular – has provided phishers with a new method of attack, with the fact that smartphones are now in the pocket of the victims making them almost immediately accessible.

Attackers don’t even need to use emails or instant messaging apps in order to meet the end goal of distributing malware or stealing credentials – the internet-connected nature of the modern smartphone means text messages are also an effective attack vector.

An SMS phishing attack – or SMiShing attack – works in much the same way as an email attack, only on a mobile device. It presents the victim with a fraudulent offer or fake warning as a malicious incentive to click through to a malicious URL.

With nearly 80% of domestic Internet users accessing the web through their smartphones, this is a biggie to stay vigilant about.

We could go on and on about the dangers of email phishing scams, but we’ll wrap this up by reiterating that KalioTek specializes in computer security and mobile device management, and can get you all the tools and technology you need to stay universally phishing scam-free!

Call us at (408) 550-8000, or email us at sales@kaliotek.com to learn more about how to avoid phishing and spear phishing scams.

Talk to us