Cyberattacks are easier when victims are unwitting accomplices.
If malicious actors convince users to provide login data or download infected attachments, they can gain access to business networks. This is phishing — the practice of sending unsolicited emails to unsuspecting users that appear legitimate enough to spark unsafe action.
There's also a more targeted version of the malicious method, known as spear phishing, that is less popular but potentially more problematic. In this piece, we'll break down the difference between phishing and spear phishing, discover how to spot the differences and offer strategies for companies to stay safe.
Understanding Phishing
According to IBM research, phishing remains the most common vector for data breaches and costs companies an average of $4.67 million.
Definition and explanation of phishing
Phishing uses messages to convince users they should take action. These messages could be via email, SMS, through social channels or even over the phone.
These messages are designed to prompt action. They might include an urgent request to reset passwords or confirm information, or they might offer something users want if they just click through on a link. If users get hooked, it takes just seconds for compromise to occur.
Common phishing techniques
There are several common phishing techniques that users should recognize.
First is bulk phishing, which sees attackers sending thousands of emails to unsuspecting users. These emails request action, such as downloading a file or clicking a link. While the success rate for this type of phishing is low, attackers often make up the difference in volume, since it only takes one click to create a compromise.
Next is duplicate phishing. In this case, attackers first compromise email accounts and then send duplicate emails for services such as shipment tracking or account information. Because these emails are nearly identical to their legitimate counterparts, they can convince users to take action.
Attackers may also use what's known as pop-up phishing. This occurs when users are working online and receive a pop-up message warning them that their computer has been infected or offering them a free antivirus scanner. If users click the provided pop-up link, they are prompted to download a malicious file.
How phishing works
Phishing works by leveraging the weakest link in the security chain: Human beings. This weakness isn't intentional — instead, it's an inherent part of humans' social development. Put simply, we're conditioned to respond in social situations. If someone asks for help, we try to find a way. If someone makes a request, especially if it seems reasonable, we'll try to accommodate.
This is what attackers are counting on. When they send "urgent" messages warning users to update their passwords or verify their counts, they're relying on human nature to override human logic. Consider data from the Verizon 2024 Data Breach Investigations Report, which found that the median time for users to read and act on phishing emails is just 60 seconds.
Here's a simple example of phishing in action:
A person receives an email seemingly from their financial institution, which warns them that their account has been compromised. They’re told that to keep their data safe, they need to click a link and update their password. Since the link and message appear legitimate, they take the bait. The link leads to a spoofed website, and the person enters their credentials. Attackers now have their login and password data, and since users often repeat passwords across multiple sites including corporate logins, malicious actors are now in a position to compromise business security.
Understanding Spear Phishing
As noted by IBM, while spear phishing is much less common than traditional phishing attacks, successful spears are costly — in one instance, cybercriminals stole more than $100 million.
Definition and explanation of spear phishing
Spear phishing targets specific individuals within an organization. Unlike bulk phishing campaigns, attackers research their targets to create a credible persona. For example, malicious actors may monitor targets' behavior on social media sites and read any posts they make on corporate websites or blogs, and keep track of events or conferences they attend.
Using this data, attackers create a seemingly real person who reaches out to "connect" with their target. Initial messages are typically benign and don't ask victims to take any action. Once trust is established, attackers ask their targets to click on links or download attachments, which in turn compromise network security.
How spear phishing attacks are targeted
The targets of spear phishing attacks are typically managers or C-suite executives. This is because attackers are looking for big payoffs, not small successes. They're willing to put in the time and effort of creating a credible persona because they know that higher-level staff often have access to corporate personnel data, financial records, or intellectual property (IP).
How spear phishing works
Spear phishing is all about creating bait that appeals to a particular target. In a traditional phishing attack, the bait is broad-spectrum — any employee in any capacity might respond to messages about accounts being compromised or viruses infecting their computer.
In a spear phishing attack, meanwhile, criminals do their research to create custom bait that entices their target. In the same way that some fishing lures can catch multiple types and others are designed for specific species, phishing and spear phishing both happen in the same lake — they're just after different results.
Differentiating Spear Phishing and Phishing Attacks
Think of spear phishing as a subset of phishing. Both use messages to compel action, but their targets and methods differ.
Key differences between spear phishing and phishing
There are several key differences between spear phishing and phishing.
First is scope. Phishing attacks often involve hundreds or thousands of emails sent to multiple users at multiple companies. Spear phishing attacks, meanwhile, target a much smaller group.
Second is quality. The sheer number of messages sent in a large-scale phishing attack means that just one click gets attackers what they want. As a result, traditional phishing emails often speak to a general audience and are riddled with spelling and grammar errors. By contrast, spear phishing emails look professional, polished, and entirely believable.
Finally, spear phishing attacks often use a multi-format approach to engender trust. While phishing efforts are often confined to email, spear phishing attacks may include emails, phone calls, and text messages.
Methods used by attackers in each type of attack
The most common method used in phishing attacks is cultivating a sense of urgency. For example, emails often contain words and phrases such as "URGENT", "COMPROMISE DETECTED", or "YOUR COMPUTER IS INFECTED". The goal is to create a sense of fear or worry in victims, who will then take action without considering the consequences.
In the case of spear phishing, pretexting is a common approach. This is the practice of creating a fake narrative — or pretext — that helps foster connection. Consider a CEO who's just returned from a nationwide conference. They receive an email from someone they supposedly met at the conference — with so many people in attendance, it's hard for executives to dismiss this out of hand. The email isn't demanding or pushy; instead, the sender is simply interested in networking.
At least at first. As trust is built over time, the sender will ask the victim to review a proposal or visit a website. Since the target has no reason to doubt the message, they'll happily comply.
Signs to identify a spear phishing or phishing attempt
Detecting is the first line of defense against phishing and spear phishing.
For phishing, common signs include:
- Poor spelling and grammar
- Urgent messages that come with dire warnings
- Generalized greetings and content
In the case of spear phishing, watch out for:
- Emails that include highly specific social information
- Messages that are overly familiar
- Unsolicited requests to evaluate documents or view websites
Protecting Yourself Against Phishing and Spear Phishing
Protecting networks and data against phishing and spear phishing requires a combination of education, action, and technology.
Best practices for avoiding phishing attacks
The first, best practice to avoid phishing attacks is education. Staff at all levels should be regularly trained to recognize the telltale signs of an attack and to respond appropriately. Training should be carried out at least every six months and should include evaluations that ask staff to recognize and report suspicious messages.
It's also important to provide regular updates on new phishing efforts or attack vectors. For example, while some attackers are now using AI to help write better phishing emails, others are taking a cue from past efforts and leveraging embedded macros to compromise devices.
Tips for recognizing and preventing spear phishing attacks
Action is next — if staff can recognize attacks, they can take steps to prevent them.
When it comes to recognizing potential attacks, there's a simple rule: If it seems suspicious, it probably is. While some attacks are obvious, such as a poorly constructed email clearly looking to bait users with a fraudulent link, others are more subtle. Users might pick up on odd phrasing or notice something not-quite-right about email addresses and sender names.
To capitalize on staff suspicions, companies need to create policies that put reporting first. Even if it means reduced productivity and potential false positives, it's better to cultivate a culture of reporting to avoid the risk of compromise.
Importance of using strong passwords and multi-factor authentication
Finally, businesses need both strong passwords and multi-factor authentication (MFA). Strong passwords reduce the risk that attackers can brute force their way into networks if they obtain other details, such as login IDs. MFA, meanwhile, prevents malicious actors from accessing key resources even if they have both IDs and passwords, since they would also require an additional verification factor such as a one-time passcode, fingerprint, or USB key.
The Role of LastPass in Phishing and Spear Phishing Prevention
With LastPass, companies can reduce their phishing risk.
How LastPass can help secure your online accounts
Users are the only ones with access to their password vault. Using advanced encryption, master and stored passwords are kept secret — even from LastPass — and vaults are encrypted and decrypted at the device level only.
Using LastPass to generate and store strong, unique passwords
LastPass can both create and store strong, unique passwords that reduce the risk of brute-force compromise. In addition, using the LastPass password generator ensures that passwords are not reused.
LastPass features that enhance protection against phishing and spear phishing
With LastPass, users enjoy enhanced protection against phishing and spear phishing. Consider a user who receives an email supposedly from their company's IT provider — www.businessIT.com. The message asks them to click a link and reset their password, but doing so takes them to www.businesIT.com. For humans, it's easy to miss the missing "s" in the URL, putting them at risk of compromise.
LastPass, meanwhile, spots it right away and since users haven't added it to their list of approved sites, LastPass won't fill in usernames and passwords, preventing a potential attack.
To reduce the risk of phishing and spear phishing attacks, a multi-layered strategy is critical. Start with education: Show staff what to look for, tell them what to do, and make it clear that safety trumps speed. Then, deploy solutions such as web application firewalls (WAFs), cloud-based security monitoring tools, and advanced account protection. In combination, this layered approach limits the chance of a successful catch and can convince aspiring phishers to cast their lines somewhere else.
Fight the phish and stop the spear with protection from LastPass. Start your free trial today.
FAQ
How quickly can I detect a phishing attack?
Your speed in detecting a phishing attack may depend on several factors:
- Using the right anti-phishing tools for your organization
- The existence of organizational measures like staff awareness training
- Employee vigilance in recognizing common phishing signs such as urgent language, oddly phrased sentences, and unsolicited requests for personal information
What should I do if I clicked on a phishing link?
If you accidentally clicked on a phishing link, you have several options:
- Avoid entering your credentials if the link sends you to a page requesting them.
- Delete any files that are downloaded as a result of clicking the link.
- Immediately change any passwords connected to your account if you provided the requested credentials.
- Enable advanced MFA options for the compromised account.
- Use a Secure by Design password manager with Autofill capabilities that prevent your credentials from being entered on phishing sites.
How do I report phishing attempts?
You can report phishing attempts by:
- Notifying your organization’s security team
- Using the “Report Spam, Junk, or Phishing” feature in your email client
- Copying the text message and forwarding it to 7726 (SPAM)
- Sending the phishing email to reportphishing@apwg.org (an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies)
- Reporting it to the FTC at FTC.gov/Complaint
Can phishing attacks bypass 2FA?
Yes, phishing attacks can bypass 2FA.
SMS-based 2FA is particularly vulnerable to SIM swapping and phishing attacks. The best MFA options to protect your accounts are phishing-resistant FIDO2 authenticators like desktop biometrics and USB hardware keys like YubiKey
