What is spearphishing?

Print Friendly, PDF & Email

“Spearphishing” is one of those terms used by computer security people to describe a particular kind of computer attack. I think it’s a pretty interesting strategy to learn about.



But to understand spearphishing, we have to back up a bit and explain a few things about the fishing/phishing analogy and how one translates to the other.

Most people know what traditional fishing is. You put some bait on the end of your line, throw it in the water and hope you get a bite. You’re kind of putting it out there to all the fish in the lake at the same time, hoping that just one of them falls for it. It’s kind of a “mass” effort in the hopes of succeeding with one target.

Spearfishing (we’re still talking about actual fish in actual water) is a targeted approach. Instead of throwing your bait out for ALL the fish, you wait patiently with a spear, and watch to target a specific fish. Maybe you’re looking and waiting for a really big one to come along. When you see the one you want, all of your effort is put into getting that one big fish.

Now we move into the world of computer security.

A phishing email is one that usually gets sent out to hundreds or thousands of people at a time. It’s usually pretty generic. The email might say that it’s being sent from your bank, and that your account may have been compromised. They want you to log in and confirm your account in order to maintain the account’s security. But when you click on the link, even though you are taken to a website that LOOKS like the login page for your bank, it’s really just a fake website put up by the scammer. When you enter your user name and password, you’re giving the scammer your login credentials.

So a phishing email is a pretty low-effort, wide-spread type of attack. Lots of potential targets since it gets sent out to a lot of people all at the same time.

A spearphishing email is different. It focuses on a particular high-value target. Here’s an example of how a spearphishing attack might work.

Let’s say there’s a dishonest home remodeling contractor in Dallas, Texas. He wants to get the client list for one of his competitors, so he hires a hacker to do this. So now the hacker has to figure out how to get into the computer of the owner of that competing business. How would he do that?

First, he might go over to the business location at night, when there is no one there. He doesn’t break in, but he looks in the dumpster where the office trash is thrown out. He finds the typical office garbage, but among that garbage is some business paperwork. He finds some invoices from vendors. These are not documents that a company would think need to be shredded, because there is no confidential information included. But the hacker can use that information.

He takes one of the invoices and sees that it’s from a cabinet manufacturer, All American Cabinets. Now he looks up all the information he can find about that company. He sees that they have a public email address for new business inquiries. So, pretending to be a remodeler himself, he sends an email asking about prices and inventory. The next day he gets an email back from the owner, Jack, and the email address is allamericancabinets@gmail.com. Now he knows Jack’s email address.

Next, the hacker creates a new Gmail account: a11americancabinets@gmail.com. See the difference? It’s similar enough that no one would really notice that the first part is “a11” instead of “all”.

Now, he uses that email to send an email to his target company (the competitor). The email might even reference the job that was listed on the invoice. But the point of the email is to make the recipient assume that it’s coming from Jack at the cabinet company. As “Jack”, he might say that they are beefing up security and requiring all their customers to read and agree with the new online security policy, which is attached as a Word document.

So the recipient of that email, seeing that it’s coming from a company they deal with all the time, and it’s being sent by Jack, who they have worked with for years, doesn’t even question that this might be a hacking attempt. They click to open the attachment, but nothing happens. At least that’s how it appears on the screen. So they figure it’s just a computer glitch and forget about it.

But what really happens is when they click that attachment, it activates a program behind the scenes that goes and collects everything in the Documents folder and sends it back to the hacker. And guess what’s in that folder – the client list with all the contact information and work history.

That’s the essence of spearphishing. Rather than send out a hundred emails to the employees of a company, the scammer just sends out one targeted one, to a specific person, with very particular and personal information on it, to avoid any suspicion in the hopes that that one person doesn’t suspect anything. It’s a lot of work for just that one email, but the payoff is potentially much larger because of the high-value target.

But you can prevent either of these types of attacks from being successful, by following these two rules:

  1. Don’t open email attachments
  2. Don’t click on a link unless you KNOW for sure where it will take you

There are a few exceptions to rule #1, but in general I just don’t open attachments. The exception would be when I know ahead of time to expect that email with that attachment, and I know exactly what the attached file is, and I trust the person who sent it to me.

listen to my podcast in Apple Podcasts

Share this post