Both phishing and spear-phishing are forms of email attacks meant to coerce you into a compromising action, like clicking an embedded link or attachment that contains malware aimed at attacking your computer and business applications.
The primary difference between the two is the targeted audience. Although phishing and spear-phishing don’t have anything to do with actual fishing, you can use the sport to easily remember the difference between the two.
Phishing
When fishing for sport, you’re hoping to catch any number of fish on a given day. You may not care what kind of fish, or how many you catch — you’re just casting a broad net in the hopes of getting something. This is the general idea behind email phishing campaigns as well. Phishing attacks are designed to target mass groups of people with the hopes that some attempts will be successful.
Cybercriminals will try to lure potential victims into their trap by playing off well-known companies, spoofing their accounts to resemble that of a popular business. The contents of their email may prompt a user to click on a link that downloads harmful malware or browse to a site that requests a user’s name, email, SSN, and more.
These types of attacks are typically a bit easier to detect and therefore aren’t as dangerous as the specialized and precise spear-phishing attempts that have risen in popularity in recent years.
Spear-Phishing
Following along with the fishing analogy, spear-fishing is a more advanced variation of the sport, requiring specific skills to be successful. When spear-fishing, you see your target in the water and you focus all of your efforts on catching one particular fish. The same can be said for email spear-phishing attacks. Spear-phishing campaigns target specific email accounts in the hopes that the person they’ve selected will click on a bad link or provide personally identifiable information.
With spear-phishing, hackers will use more sophisticated methods for selecting their target, often tapping into social media accounts that contain personal information like email addresses, phone numbers, home addresses, and more. Using this personal information, they will carefully craft emails that include specifics that only the target or their close associates may know, significantly increasing the success rate of their attack.
Spear-phishing attacks often aim to obtain access to user accounts. Cyber-attackers then use this information to gain access to other applications like social media, banking, and even the company network.
How to protect your business from phishing attacks
Cyber-attackers are getting better at disguising their attempts at accessing your personal information. To stay ahead of these spoofed emails, businesses need to employ a mixture of anti-phishing software and employee awareness training programs.
Back-end protection
Solutions like Microsoft DMARC and Cisco Umbrella are designed to protect end-users from malicious attacks at the domain level, catching phishing and spear-phishing attempts before they get to their target audience.
These applications scan networks for suspicious activity, blocking suspected attacks at the domain and IP levels. With Cisco Umbrella, the protection extends to the DNS record level and is used to resolve DNS queries across your organization.
Microsoft DMARC does an excellent job of targeting email spoofing campaigns geared at tricking employees into thinking malicious emails are coming from inside their organization and are safe to open. This anti-phishing application delves into the inner workings of email software, using the Sender Policy Framework (SPF) as a means of authenticating an email before it even gets to an employee’s inbox.
Employee awareness training
No matter how protected your applications are from these types of attacks, cybercriminals will continue to try and take advantage of the one variable that cannot be controlled through meticulously designed software: human error. As new software is developed, new ways of penetrating a network through phishing will surface.
For those attacks that make it through the layers of backend protection, there are providers like KnowBe4. This company offers a range of products and services aimed at educating employees about the dangers of phishing, what to look for and how to react.
Through simulated phishing attacks and on-demand education content, KnowBe4 leverages one of the most powerful blocking devices a business has — their employees, even referring to them as a “human firewall.”
Summary
Our team at ZAG takes security seriously. We understand the need for a comprehensive approach to security across your organization, and we utilize our industry-defined standards to deliver specialized solutions that fit your needs. We can help you design plans that incorporate DMARC, Umbrella, KnowBe4 and other leading security technologies to secure your company against incoming threats.
The biggest security risks are those that haven’t yet been discovered. Visit our IT security consulting page to learn more about how we help companies anticipate and block threats before they take hold.