What is the Difference Between Phishing and Spear-Phishing?

by Sarah Harvey / September 10th, 2019

Imagine this…Your employee, Kevin, sits down at the office and opens his email inbox. The first message is from the CEO of your company, Chris, with the subject line “Priority Task” The email seems urgent. He opens it quickly and reads his task.

Because Kevin wants to quickly complete this task for his employer, he rushes to reply. He follows the instructions he receives in a follow-up email, which leads him to send private access information to a “client,” AKA the spear-phisher behind this entire email thread. If he was trained on proper security measures, Kevin would have recognized the familiar spear-phishing tactic of personalized, yet random requests from c-level executives. He would have realized the email address was unfamiliar and the urgency in the message was uncharacteristic of his boss. Instead, he fell for a common spear-phishing tactic which led to malicious access to his company’s data.

To make sure your employees recognize the familiar tactics of phishing, you first need to know the various strategies malicious individuals use to gain access to sensitive information. Let’s talk about the difference between phishing and spear-phishing.

What is Phishing?

Phishing is any effort from an attacker to gain sensitive information from an individual via email, social media, and even phone calls. In the context of a business entity, these malicious individuals make contact with employees asking for private information that can lead to access of company systems, processes, or data. These attacks are not personalized. Instead, they are mass-generated with the hope at least one individual will fall for the trap.

It’s not uncommon for employees to fall for these simple phishing attacks. In fact, Verizon’s 2019 Data Breach Investigations Report claims that 32% of breaches involved phishing. That’s a difficult number to grasp. Phishing is not a complex or expensive tactic that attackers use. It’s about casting a wide net and, as evidenced, it’s successful in gaining access to companies’ private systems.

Phishing vs. Spear Phishing

Spear-phishing differs from normal phishing in that spear phishing is targeted and personalized. Spear-phishers target specific individuals with custom messages. They spend more time and energy on finding personal information to create tailored attacks. For businesses, spear-phishers tend to act as c-level executives or fellow employee. The emails, phone calls, and messages from these malicious individuals tend to hold a level of urgency to convince victims to act quickly.

Spear-phishing is more likely to be successful in gaining access to sensitive data as it appeals to the familiarity of a victim. The tech company Ubiquiti learned about the impact of spear-phishing firsthand in 2015 when employees fell victim to an attacker’s tactics. The spear-phisher targeted Ubiquiti employees by imitating a company employee and asking for an unauthorized international wire transfer. The attacker targeted Ubiquiti knowing it handles international transfers often, and it worked for them – the company lost $46.7 million to these spear-phishing attacks. It led to legal action and countless hours remediating the security issues found from this attack.

Was this leak of information and financial resources inevitable? Absolutely not. If proper information security procedures were in place, employees would have been aware of possible attack tactics. Whether it’s personalized or not, phishing is effective. Make sure your organization is even more effective in securing its data and private information.

Hunt for Your Vulnerabilities Before Hackers Do

Who would you rather have locating the security weaknesses within your company – a malicious hacker or a security professional that you hired to secure your assets? At KirkpatrickPrice, we recognize the value in thorough penetration tests that seek out your vulnerabilities and work to correct them. Our team of expert penetration testers use a variety of penetration tests and social engineering to locate the security issues your organization may not recognize.

Do you want to find out your organization has a security vulnerability after you’ve already lost millions to a malicious attacker?

Of course not!

Be proactive. Contact KirkpatrickPrice today to learn how we can help you become secure.