ATO/BEC Show Monday, August 23rd, 2021 Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises. Phishing and spear phishing are both “social engineering” cyberattacks. In both types of attacks, a cybercriminal impersonates a trustworthy person and tricks their target into revealing login credentials, installing malware, or making a wire transfer.
This is a summary of the similarities and differences between phishing and spear phishing. Think of it this way:
What is phishing?As we explained in our article “What Is Phishing?,” the term “phishing” can mean two things:
In the first instance, “phishing” can refer to cyberattacks including:
In the second, specific sense, phishing means a social engineering attack (conducted via email) with no specific target. We sometimes call this “spray-and-pray” phishing. The cybercriminal sends as many emails as they can in the hope that someone falls for their scam. But don’t be fooled: phishing attacks aren’t necessarily amateurish operations. What is spear phishing?Spear phishing is a targeted phishing attack. The target receives an email that addresses them directly — by name. Any type of targeted phishing attack is a “spear phishing” attack, including:
But spear phishing is broader than this: if a Business Email Compromise attack, wire transfer phishing attack — or any other type of phishing attack — targets a specific individual, it’s a spear phishing attack. Looking for more information about spear phishing? Check out this article: What is Spear Phishing? Targeted Phishing Attacks Explained. Phishing vs. spear phishing examplesNow we’re going to look at some phishing attacks and spear phishing attacks side-by-side so you can understand the differences. The two emails below demonstrate the essential difference between phishing and spear phishing: This is an example of a bulk phishing email. In this case, the attacker is impersonating Netflix. This is an example of a “bulk” phishing email. It doesn’t address the target by name and doesn’t contain any personal information. But, because it appears to come from a trusted brand (Netflix) someone is likely to click the link. This is an example of a targeted spear phishing attack. In this case, the attacker is impersonating the target's colleague. This is an example of a spear phishing email: CEO fraud, to be precise. The attacker has exploited a professional relationship to elicit feelings of urgency and trust — the CEO urgently needs a favor and requests an employee to pay an invoice to an unknown account. But the “CEO” is a cybercriminal who controls the “new account.” These examples should help you better understand the difference between phishing and spear phishing:
Looking for more resources?We explore phishing, spear phishing, and other social engineering attacks in greater detail in the following articles:
What is phishing and spear fishing?“Spear phishing” is a type of phishing campaign that targets a specific person or group and often will include information known to be of interest to the target, such as current events or financial documents.
What are 2 types of phishing?What Are the Different Types of Phishing?. Spear Phishing.. Whaling.. Vishing.. Email Phishing.. What is an example of spear phishing?Spear phishing is a more targeted cyber-attack than phishing. Emails are personalized to the intended victim. For example, the attacker may identify with a cause, impersonate someone the recipient knows, or use other social engineering techniques to gain the victim's trust.
What is the difference between spear phishing and social engineering?Spear phishers carefully research their targets, so the attack appears to be from trusted senders in the targets' life. A spear phishing email uses social engineering techniques to urge the victim to click on a malicious link or attachment.
|