IT Security Blog

You may be familiar with phishing attacks. These are emails sent by cyber criminals to millions of potential victims around the world designed to fool, trick or attack them. Usually, these messages appear to come from a trusted source, such as your bank or someone you may know. The emails often have an urgent message or a deal for you that is simply too good to pass up. If you click on the link in a phishing email you may be taken to a malicious website that attempts to hack into your computer or harvest your username and password. Or perhaps the phishing email may have an infected attachment — if you open the attachment it attempts to infect and take control of your computer. Cyber criminals send these emails to as many people as possible, knowing the more people that receive the email, the more people will likely fall victim.

While phishing is effective, a relatively new type of attack has developed called spear phishing. The concept is the same: cyber attackers send emails to their victim, pretending to be an organization or a person the victim trusts. However, unlike traditional phishing emails, spear phishing messages are highly targeted. Instead of sending an email to millions of potential victims, cyber attackers send spear phishing messages to a very few select individuals, perhaps five or ten targeted people. Unlike general phishing, with spear phishing the cyber attackers research their intended targets, such as reading the intended victim’s LinkedIn or Facebook accounts or any messages they posted to public blogs or forums. Based on this research, the attackers then create a highly customized email that appears relevant to the intended targets. This way, the individuals are far more likely to fall victim to the attack.

Source: SANS Ouch! Security Newsletter