Spear Phishing is very common to the traditional Phishing but more targeted to a specific group. Spear Phishing is define as an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear Phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information (SearchSecurity, 2005).
A typical Spear Phishing attack is conducted by a “Phisherman” (The person performing the attack) gains detailed information about you and your organization through websites, blogs, and social networking sites.
Then the “ Phisherman” sends out a specific and personal emails asking the user or “phish” (The person the attack is being conducted on) to enter their username, password, account number, access codes, pins, to a clone website. It seems very authentic since the information will be coming in the form of a familiar site or process. From there as in a typical Phishing attack, your information is captured leaving the user vulnerable to identify theft or financial lost.
A recent example of a successful Spear Phishing attack occur when there were news reports that the U.S. Chamber of Commerce was hack by Chinese hackers and an unspecified amount of data was access from the network for over a year undetected.
There ways of preventing being caught by a spear:
- IT and help-desk personnel will never ask for password, so never give out your password for any reason.
- Never reveal any personal information in an email
- Look for digital signatures
- Assume all unsolicited requests are Phishing attempts.
For more about interesting information Spear Phishing go to: