Phishing is a method of stealing confidential information by sending fraudulent messages to a victim. The messages often contain a link to a bogus website where victims are coaxed to enter personal details. Phishing emails appear to be from a known and trusted source, but the links and attached files are designed to bypass security and access a network.

Spear phishing is a dangerous class of phishing, where criminals use social engineering to target specific companies and individuals using very realistic bait or messages. This remains a popular exploitation technique.

Individuals with a large amount of personal or corporate information online are easy targets. Adversaries use carefully tailored attempts to appeal to a target by using their personal and professional circumstances and social networks. In this way, targets of spear phishing emails are duped into opening malicious attachments and links.

Adversaries also make use of publicly available industry information such as annual reports, shareholder updates and media releases to craft spear phishing emails, and use sophisticated malware to evade detection.

How to protect your business from spear phishing

  • Be careful what you share about yourself online both personally and professionally.
  • Don’t click on links or download attachments unless you and/or your staff are certain the email is legitimate. When in doubt, manually type the web address into a browser, rather than clicking on a link.
  • Trust your instincts—if you or your staff think you know the source of an email but something seems odd—phone to check if they did send it.
  • Report suspicious emails to your IT security staff.