Phishing is one of the most common ways cybercriminals gain access to personal data and company information. According to Verizon’s “2021 Data Breach Investigations Report,” phishing was the top action taken by criminals to gain access to data — outranking such ubiquitous methods as stealing credit cards and using ransomware. Phishing also saw the highest growth rate during the pandemic compared to other cyber threats.
Phishing and spear phishing are common because they are effective and easy to launch. Even an entry-level employee can introduce a threat to a company by clicking on a bad link. Every IT team and employee needs to know the difference between these two threats.
Phishing is a cybersecurity threat that occurs when hackers pretend to represent a trusted vendor or potential organization. An employee will receive a phishing email that looks like it came from a trusted organization. The email usually encourages the employee to click on a link, which will either download ransomware or give the hacker access to company files.
Hackers are getting better at making phishing emails look legitimate. However, the email format might be slightly off — there may be spelling errors or confusing phrasing that can alert the employee that the email isn’t genuine. The recipient should delete the email and report the phishing attempt to the IT department to stop the attack.
Spear phishing is a subset of phishing that employs more-focused social engineering tactics. Essentially, a cybercriminal will target a specific person or company with attacks. The attacker might research the individual they’re trying to phish and carefully craft an email or text message based on the target’s interests or behavior.
With companywide spear phishing, hackers may try to make the messages appear as if they came from reputable sources, such as the CEO, the human resources department or even the IT department. The goal is to make the message seem as legitimate as possible so the recipients click on harmful links.
There’s a higher threat level than spear phishing, called whaling, where hackers take a narrower approach and target members of the C-suite. The goal is to gain access to personal or company finances and confidential information that can be held for ransom.
The main difference between phishing and spear phishing is the audience. With phishing, hackers might send the same email to thousands of individuals at hundreds of companies. With spear phishing, one company or individual is targeted.
For example, a phishing email could promise a free security evaluation from a seemingly reputable IT source. Employees would theoretically trust the brand name and click the link. With spear phishing, the email might address a specific employee or seem as if it came from an internal source in the organization.
Human error is one of the main reasons phishing and spear phishing attacks are effective. One of the best ways to prevent these threats is to teach employees how to identify and avoid suspicious emails. Some common red flags to look for are:
- Obvious spelling and grammar mistakes
- Incorrect email address formats or naming formats
- A sense of urgency that encourages employees to click without thinking
- Requests for sensitive information over email
- Unsolicited attachments
- Threats of termination or suspension if the email comes from an internal source
If an employee is unsure about an email, encourage them to send it to the IT department. Additionally, the employee can look up the sender’s contact information on a reputable search engine and call or email them to make sure it’s legitimate.
Spear phishing prevention is a long-term process. You must constantly train employees to avoid these scams and have a capable IT department to support your staff. By hiring IT professionals with relevant education and credentials — like a Bachelor of Science in Cybersecurity or a Master of Science in Cybersecurity — you can better protect against incoming threats.