What is a spear phishing attack and why is it difficult to spot?

No Internet user is immune to cybersecurity threats. From risks posed by unattended hardware to malicious links delivered to an inbox, users must remain vigilant and aware of the possible dangers presented by modern technology.

One of the most persistent and nefarious cyber threats is phishing. As a fraudulent means of tricking a user out of their personal or private information, it’s believed that more than 3.4 billion phishing emails are sent to unsuspecting users each and every day.

“Phishing” may have a funny name, but it’s serious business. As simple email scams have morphed into larger, more sophisticated fraud operations like spear-phishing campaigns, small businesses must take the right precautions to ensure that employees don’t fall for tricks that can jeopardize crucial business data.

Here’s a closer look at how phishing works, how spear phishing presents a unique threat to small businesses, and what can be done to ward off such threats:

What is phishing?

Phishing is a criminal tactic that attempts to pass off a fake message as authentic with the intention of tricking the user into performing a specific type of action. Taking the form as a fake invoice, password reset request, or another type of message that requires the user to click on a link or open a file, a phishing attack can redirect that action towards a webpage or application that executes a malicious task.

At first glance, many phishing emails can appear to be downright laughable, containing questionable spelling or grammar, unusual branding or imagery, or other types of content that immediately give away that the email is not authentic.

But considering that in 2019 alone, the FBI attributed more than $57 million in losses to various types of phishing schemes, even the savviest technology user remains susceptible to clicking on links that can cause serious damage to a small business.

What is spear phishing?

Spear phishing is a sophisticated, highly personalized attack that’s designed with a specific user or organization in mind. Rather than a broad attempt at tricking any user into clicking a link made through a traditional phishing attack, spear-phishing attacks are carefully crafted in an attempt to seem as legitimate or credible as possible.

There are two primary types of scams that perpetuate spear phishing campaigns:

Business Email Compromise (BEC)

Involves a real-looking email address from a high-ranking company official or business partner being mimicked in order to trick a recipient into believing the message is a legitimate correspondence.

BEC spear-phishing attempts often ask users to make a payment or purchase that sends money to the criminal.  They can also look like a meeting invitation from someone within the company.


Involves a real-looking email address from a trusted company, vendor or software provider that asks a user to carry out a particular action, such as clicking a fraudulent link, opening a fraudulent invoice or order.

Impersonation-based spear-phishing campaigns also take advantage of brands like Google, Microsoft, and DocuSign, which offer services and security alerts via email.  Emails asking an employee to complete a Microsoft software update, or change their Gmail password are popular and hard to detect.

In both variations of spear-phishing campaigns, nefarious actors can seek to gain access to property information, money through fraudulent wire transfers or purchases, or private accounts. A successful spear-phishing campaign can also leave behind malware or ransomware that leaves a device vulnerable to future attacks.

How to Prevent Spear-phishing Campaigns

Although small businesses must stay vigilant in order to ward off potential spear-phishing campaigns, there are two easy steps any organization can take to proactively prevent future attacks:

Install anti-phishing software

As its name suggests, anti-phishing software allows organizations to monitor and mitigate potential phishing attacks. Not only do anti-phishing software solutions feature specific capabilities to detect spear phishing campaigns, but they also can also identify other phishing-related vulnerabilities and mitigate threats posed by malware-laced attachments.

Educate users

From the boardroom to the break room, any user with access to a company network is at risk of a spear-phishing attack. It’s important to train employees to spot potential phishing attacks, follow best computing practices, and notify IT departments of suspicious activity.

Security awareness training is a formal process for educating employees about the dangers of phishing or other online threats and what steps to take if they encounter an online threat. If your company needs to comply with different government and industry regulations, you must provide security awareness training for employees to meet regulatory requirements.

With ongoing, relevant, and engaging security education training, such as phishing simulations, security best practices, courses on IT and data protection, companies can greatly reduce their chances of getting attacked due to user error. Security education training and awareness programs ensure that users, processes, and technology are all harnessed effectively together to fight cybercriminals.

DWD Technology Group offers a wide range of end-to-end cybersecurity solutions for businesses throughout the Midwest. For a free, comprehensive security assessment, contact us today!