Phishing vs. Spear Phishing

Humans make mistakes.

That’s the basis for the success of phishing and its variant, spear phishing. They leverage human fallibility to trick, deceive, and pressure people into taking actions that play into the hands – and scams – of cybercriminals.

Consider these facts:

• Phishing attacks based on emails jumped by 202% last year, according to the SlashNext 2024 Phishing Intelligence Report.
• AI chatbots are empowering criminals to create increasingly sophisticated phishing attacks, according to TechTarget.
• An estimated 3.4 billion phishing emails, many of them automated, are sent every day.

Read on to learn more about phishing and how it differs from spear phishing.

Phishing is a type of social engineering, meaning that it uses psychological manipulation of people to access their credentials, devices, or data. Social engineering contrasts with other cyberattacks that target data and systems directly.

Here’s how a phishing attack works:

The malicious actor sends an email, text, social media message, or phone call that pretends to be from a legitimate source, such as a bank, retailer, service provider, or government agency – or a co-worker or manager. The goal is to persuade the person to respond to the communication by taking an action, such as clicking on a malicious web link, downloading a malicious file, transferring funds, or divulging credentials or sensitive information. To do this, the cybercriminal may try to evoke fear, curiosity, or a sense of urgency.

To fool the recipient, a phishing attacker may mimic corporate logos and branding or use wording that seems familiar to the recipient. Attackers may create fake websites or use caller ID or email spoofing. Once the user takes the bait, the attacker can steal identity information, access accounts, install malware on the user’s device, or gain entry to the organization’s IT system.

Phishing is said to have originated in the mid-1990s, when the term was first used in a Usenet newsgroup. The first attacks were associated with America Online (AOL.) According to Phishing.org, hackers stole AOL passwords and created randomized credit card numbers, which they used to open AOL accounts for spamming other users. After AOL implemented security measures, the hackers began impersonating AOL staff, sending messages asking users to verify their account or billing data.

Today, there are many types of phishing, including spear phishing (see next section). Here are three examples:

• Quishing uses fake quick response (QR) codes embedded in emails and text messages or posted on signage or in publications. The codes redirect users to malicious websites where they are asked to provide personal data or prompted to download harmful content. Quishing is especially dangerous because it can bypass most security protections.
• Smishing, a mashup of SMS and phishing, uses text messaging or short message service to execute the attack. Smishing takes advantage of low awareness about the dangers of clicking a link in a text. A common example is a message appearing to come from the person’s bank, stating their account has been compromised and asking for an immediate response.
• Adversary-in-the Middle begins with a phishing email from the cybercriminal, who also sets up a proxy server between the user and the website or service that they want to impersonate. When the user clicks on the link in the phishing email, they are redirected to the fake login page hosted by the proxy server, where their login information can be captured.

Some of the recent iterations of phishing use generative AI. Harvard Business Review warns that GenAI tools are making phishing emails “more advanced, harder to spot, and significantly more dangerous.” For example, phishing campaigns can be fully automated using large language models (LLMs) like ChatGPT.

Deepfake phishing is a new approach leveraging AI. Attackers use AI algorithms to fabricate audio, video, or images that appear to be authentic and help to gain users’ trust. The hiring process is one area where this technique is being used. According to a CIO article, North Koreans are using deepfakes to impersonate American citizens in an attempt to win cybersecurity jobs in U.S. corporations, where they aim to exfiltrate trade secrets and other sensitive data.

Real-world Attacks

Major phishing incidents in 2024 included a breach of Change Healthcare’s IT system by malicious actors who harvested employee logins through phishing attacks. Once they gained access, the criminals disrupted operations, stole patient data, and demanded a ransom, which they did not honor.

Another attack targeted Starbucks customers, who were offered a free coffee gift they could claim by clicking on malicious links used to steal personal and financial information. The phishing emails featured the corporate logo and color scheme, and a spoofed email address.

Spear phishing differs from generic (bulk) phishing in its target audience: a particular individual vs. a group. That person typically has privileged access or special permissions that the attacker can exploit.

Spear phishing communications are customized – either by humans or AI — to the target using personal details gleaned from social media, professional organizations, and other sources. Attackers devote extensive time and effort to find as many details about the target’s work, personal life, friends, and family as they can. Importantly, the email, text, or phone call appears to come from someone known to the target, such as their manager or a company executive with financial responsibilities.

Common spear phishing approaches include posing as a charitable organization asking for donations, as a vendor requesting financial details, or as a customer service agent responding to a complaint.

In contrast, bulk phishing involves sending a generic message, which appears to be from a well-known and trusted entity like a famous brand, to hundreds or thousands of people. The attackers hope that at least a few of the many recipients will fall for the scam.

Although spear phishing is much less common than bulk phishing, due to the amount of time-consuming research and customization required, the potential rewards can be significant. According to a report by Barracuda Networks, spear phishing represents only a tiny fraction – less than 1 percent – of total phishing attacks but is responsible for a large percentage of breaches.

Special varieties of spear phishing include:

• Whaling, which is an attack aimed at a “high-value” individual such as a company CEO, a celebrity, or a politician. These targets usually have access to extremely sensitive information or large amounts of money.
• Business email compromise, where malicious actors use spear phishing tactics to access an organization’s email system and carry out fraudulent activities. Typically, they compromise an employee’s email account and use it to impersonate the individual. The account can be used to ask for sensitive data or request funds.
• Brand impersonation, where the attacker pretends to be a familiar brand in order to trick the target into revealing sensitive data, such as credentials. This scam often involves a phony website or app.
• Malware delivery, which often uses malicious attachments or links to fake websites. The goal is to gain access to data or disrupt the target organization’s IT system.

Since phishing and spear phishing take advantage of human vulnerability, it’s vital to help users identify red flags in phishing emails, text messages, phone calls, and social media posts – and report these suspicious communications.

• Emotional triggers: Many phishing scams create a sense of urgency or imply a threat that causes the user to act quickly, without careful consideration. For instance, an email may warn you about dire consequences (cancelling an account, incurring a penalty) if you do not input certain information right away. Or the message could provide a short deadline for taking action to win a prize or obtain a discount on a product or service.

  In spear phishing, the urgency may come from a sense of responsibility. You may feel pressured by the sender, who is posing as a company manager or executive, to send confidential information or transfer funds immediately or risk your job.

• Overpromising: A phishing scam may try to lure recipients with an amazing offer. As in any other situation, if a deal sounds too good to be true, it is probably fake.
• Suspicious links or attachments: A cardinal rule is to avoid clicking links or opening attachments from potential phishing communications. To check on the validity of a link, you can mouse over it and compare the web address that pops up with the original, to be sure they match. Similarly, you should be sure the extension (e.g., .com, .edu, .org) is appropriate for the organization.
• Poor-quality communication: The email or text may contain spelling errors, grammar mistakes, or awkward phrasing that result from foreign language translation. However, with the rise of Large Language Models, such errors are becoming harder to spot and, therefore, less effective in identifying phishing.
• Lack of personalization: While spear phishing scams are highly customized, bulk phishing emails or texts may use a generic greeting (“Dear Sir or Madam”) that indicates the sender is a stranger.

Increasing user awareness of phishing and spear phishing tactics is one remedy for avoiding these scams, but it’s not enough. Besides educating users, organizations should take other preventive measures, including robust security tools and policies.

• Deploy anti-phishing software that can scan for and block suspicious emails, block malicious websites, and monitor network activity for signs of phishing campaigns.
• Require phishing-resistant multi-factor authentication (MFA) based on public/private key cryptography, such as FIDO (Fast Identity Online) security keys.
• Use email spam filters, which examine headers, analyze email content and language, and block senders on blacklists of known scammers.
• Change browser settings to prevent fraudulent sites from launching.
• Adopt cloud email security products, which typically include anti-phishing capabilities. These solutions filter out suspicious emails and mark them as spam or quarantine them.
• Implement Domain-based Message Authentication, Reporting and Compliance (DMARC) rules on the email server. This email authentication protocol protects against phishing and email spoofing attacks. It uses two protocols, Sender Policy Framework and DomainKeys Identified Mail, to verify the authenticity of the sender’s domain.
• Use end-to-end encryption of data in transit to help prevent attackers from intercepting sensitive information.
• Conduct simulated phishing attacks to evaluate the organization’s vulnerabilities and the effectiveness of existing security protections.
• Update and patch software promptly to minimize vulnerabilities.
• Encourage users to report phishing and spear phishing incidents to the U.S. Federal Trade Commission at https://reportfraud.ftc.gov/, and the Anti-Phishing Working Group at https://apwg.org/reportphishing/

While all these recommendations apply to both phishing and spear phishing, protecting against highly personalized spear phishing attacks can be very difficult. Many recipients cannot detect flaws in a carefully researched and sophisticated spear phishing attack. That’s why it is vital to establish and enforce verification procedures for all financial transactions, even if the request comes from the CEO or CFO.