Phishing is defined as a fraudulent campaign where a hacker sends out a mass email to business users or consumers, posing as a reputable company/party to win the recipient’s trust, create a sense of urgency, and incite the recipient to divulge credential information or send money. Spear phishing, on the other hand, is defined as a fraudulent campaign where a hacker or someone with malicious intent gets hold of the contact details of an individual or a group of individuals who have privileged access. This article discusses the differences and similarities between phishing and spear phishing in detail.
Table of Contents
What Is Phishing?
Phishing is a fraudulent campaign where a hacker or someone with malicious intent sends out a mass email to business users or consumers, posing as a reputable company/party to win the recipient’s trust, create a sense of urgency, and incite the recipient to divulge credential information or send money. Â
Phishing vs. Spear Phishing vs. Whaling
Generic phishing is not very sophisticated and relies on the credibility of the entity it mimics to trigger a response from the recipient. You could consider generic phishing as a sort of “spray and pray†attack, where the attacker reaches out to a very large group of users in the hope that a few individuals will respond.Â
For example, a hacker might set up a website spoofing a Microsoft URL and send out emails to a database of known Microsoft 365 users that they have obtained from the dark web or a third-party data reseller.Â
The communication would look something like this:
Suspicious Activity Detected
Please reset your password to maintain access to your account.
OR
Limited time upgrade to <new paid Microsoft product>.
Enter your credit card details to activate.Â
Some users will double-check the email with official Microsoft sources or with a colleague and immediately detect its fraudulent nature. But those who don’t could click on the URL, thereby getting redirected to a fraudulent website that collects their login credentials or banking information. If a thousand users are targeted through a generic phishing campaign, ten or perhaps fewer would respond.Â
In comparison, spear phishing is far more targeted. It assumes privileged knowledge or access on the part of the recipient, thereby increasing its chances of getting data or money out of the victim.Â
Also Read: What Is a Spear Phishing Attack? Definition, Process, and Prevention Best Practices
What Is Spear Phishing?
Spear phishing is a fraudulent campaign where a hacker or someone with malicious intent gets hold of the contact details of an individual or a group of individuals who have privileged access. The hacker uses the knowledge of their personal contexts to craft a message that has the highest possibility of garnering a response.Â
Spear phishing is a subset of the general phishing category of cybersecurity attacks. But it is significantly more sophisticated, well thought out, and dangerous. Not only does the hacker know exactly who they are targeting, but they also use their knowledge of the intended victim to personalize the email message in a manner that a person will be very likely to click or respond. By using targeted information like the reseller’s name and the date of license purchase, the hacker increases the chances of getting a response.Â
Continuing our previous example, the hacker could target a single company’s IT administrators instead of a random database of Microsoft 365 users. The hacker would pose as the company’s selected reseller for greater credibility and not just a generic Microsoft representative.Â
The message may look something like this:
Your license hasn’t been renewed since <actual date of license purchase> – pay now to avoid deactivation.Â
As you can see, spear phishing and phishing operate on similar principles, but there are several points of difference.Â
Learn More: Whaling vs. Spear Phishing: Key Differences and Similarities
5 Key Differences Between Spear Phishing and Phishing
Phishing differs from spear phishing in five ways – phishing is much older, it targets victims in bulk and relies significantly on luck, there is almost always a payload, and generic phishing attacks are likely to cost you less. Let us explore these differences in detail.Â
1. Origins: Phishing has been around for a longer time than spear phishing
Back in the 60s and 70s, it was possible to blow a whistle into a phone receiver and trick the circuit into initiating a free call. The technique, known as phone phreaking, exploited a vulnerability in the system by impersonating a Hertz tone. Modern phishing largely works on the same principle, where the hacker impersonates somebody else to dupe the recipient. As we know it, this technique was first described in a paper delivered to the 1987 International HP Users Group, Interex.Â
Throughout the 90s, there were several instances of AOL phishing where an attacker would pose as a staff member and ask users for their credentials via instant messaging.Â
Spear phishing is a far more recent phenomenon. Attackers who broke into TD Ameritrade’s database were unable to acquire all of the information they wanted, so they launched a follow-up spear phishing attack. Since then, spear phishing has steadily grown in popularity, with more and more enterprises becoming targets of highly sophisticated and non-generic attacks.Â
2. Attack vector: Phishing is enacted en masse vs. more targeted spear phishing
This is probably the biggest difference between phishing and spear phishing.Â
The attack vector is much larger in a typical non-generic phishing attack, which could be intended for either consumers or business users. There is a commonality between the victims – for example, they could be either Microsoft users or Amazon customers – but it is a broad commonality, without any specific context on individual backgrounds.Â
Spear phishing has a more specific attack vector. Even if it targets a very large group of victims, they will all have some form of privileged access in common. The hacker might target all the IT admin administrators of a company, all newly hired employees who are vulnerable to social engineering, or a specific vertical like stakeholders in your accounts payable function.Â
3. Target psychology: Spear phishing banks on social engineering, not luck
The psychology behind spear phishing is also different from a generic phishing campaign. The hacker knows (or at least has an accurate estimation of) what would drive the intended victim to action.Â
A newly hired employee would feel compelled to respond to an HR instruction for collecting employee data. An accounts payable stakeholder might be motivated to quickly clear an invoice payment if instructed by a supervisor, without double-checking the details if there is a fear of missing deadlines. An IT administrator might be persuaded to enter payment details on a fraudulent page if there is a promise of saving on IT budgets.Â
Crafting the messaging in a manner that taps into a victim’s unique psychological drivers is called social engineering – which is a big part of carrying out a spear phishing campaign.Â
A generic phishing campaign, on the other hand, tried to take advantage of general human psychological drivers – such as our urge to act when presented with an urgent situation, our desire to save or gain from discounts wherever possible, and our aversion to conflict or challenging scenarios. Therefore, a generic phishing campaign typically presents the victim with a carrot or a stick, without any individualized knowledge of what motivates them.Â
Also Read: What Is Whaling Phishing? Definition, Identification and Prevention
4. Technology: Phishing relies on malicious links vs. zero payload spear phishing
The technology and the technique used in phishing and spear phishing can also be different. Phishing typically relies on a link or a file that redirects to a malicious website. Opening the file or forwarding it to someone else might automatically install some sort of malware into the victim’s machine. A malicious link could redirect to a website asking the user to share their sensitive login data or banking information under the guise of a legitimate provider.Â
Either way, there is almost always a “payload†attached to generic phishing attacks as there is no personalization of the message.Â
In spear phishing, on the other hand, payload-less or zero payload attacks are much more common. In these cases, a hacker doesn’t try to redirect the victim or get them to install anything on their system. Instead, they outright instruct the message recipient to carry out an action via an email campaign.Â
For example, someone posing as VP of accounts could send an email to an accounts payable professional who is on holiday to urgently clear an invoice by wiring funds to account details mentioned in the email itself. The recipient, who is on vacation and therefore unlikely to spend too much time on double-checking or cross-checking, would simply wire the amount from the company’s expense account. These are called zero payload attacks, as there is no file or hyperlink involved.Â
However, do keep in mind that although relatively rare, there can be zero payload generic phishing attacks and spear phishing with a payload as well.Â
5. Cost: A single spear-phishing attack will cost you $1.6 million on an average
In terms of the costs you incur, spear phishing differs from generic phishing. Research suggests that a single instance of spear phishing can cost you $1.6 million on averageOpens a new window . As the attacker targets individuals with ready access to funds or information, the chances of falling prey to this attack (and therefore incurring its costs) are very high.Â
The cost component of generic phishing is more difficult to calculate, as there are numerous victims involved. Even if each victim pays out a small sum of money, the hacker stands to gain a large cumulative sum. The difference is essentially in who bears the cost. The cost of generic phishing is borne by multiple individuals – both consumers and business users – if they act on the attacker’s message.Â
Spear phishing, on the other hand, typically costs the company by way of direct fund transfers, loss to business reputation, loss of customer trust (as there is a data breach of employee contact information), and disruption to business continuity as you reset your systems and passwords.Â
Learn More: Five Phishing Attacks to Watch
5 Key Similarities Between Spear Phishing and Phishing
Phishing is similar to spear phishing in terms of the channel of communication, the type of deception involved, victim psychology, the need for action, and protective measures. Let us look at these similarities in more detail.Â
1. Channel: Email is the most dominant channel for both
Despite its origins in AOL IM chat rooms, email has become the dominant platform for sending out phishing campaigns of all kinds. This is because email is largely ubiquitous, used by around half of the global population.Â
Consumers rely on email for transactional communications from their online service providers, making it an easy target. Business users frequently share sensitive information through email, and business email IDs are easy to spoof if you know the domain name.Â
There can be voice-based phishing via telephone, but this is common to both phishing and spear phishing.Â
2. Deception: All phishing attackers impersonate someone else
The second similarity between phishing and spear phishing is that both attacks rely on impersonating a trusted party to deceive the victim. The impersonation is more targeted and informed in spear phishing, while generic phishing relies mostly on impersonating the domain name of a trusted company. However, the core principle remains the same – lure victims into a state of trust and confidence without raising suspicion so that they are likely to take action without verifying further.Â
3. Victim experience: The “bait†in both cases respond to a sense of urgency
The psychological experience for victims in both cases are similar. Both phishing and spear phishing victims act out of a sense of urgency. How that urgency is created can be different, but victims tend to feel like there will be a negative consequence or a missed opportunity if they do not immediately act on the sender’s instructions. This taps into every human being’s innate desire for self-preservation and self-improvement by doing the right thing at the right time, which is why you will find nearly every type of phishing message containing a time-bound instruction.Â
Also Read: What Is Phishing? Definition, Types, and Prevention Best Practices
4. Action: Both attack types require the intended victim to act on the instruction
As an extension of the previous similarity, one should note that both types of attacks need participation and active involvement from the victim. There are other cybersecurity attacks where a hacker takes advantage of system vulnerability or exposed cloud resources to unethically acquire data. Or, they might install a malicious application in the background while the user downloads legitimate software. Unlike phishing, these types of attacks don’t need any explicit action or involvement from the victim.Â
In case of phishing, the user must read/hear the message, understand the instructions, believe its validity, and act on it for the attack to be successful. Indeed, this factor makes phishing difficult to report, as users feel they are “at fault†and therefore hesitate to admit that they were deceived.Â
5. Protection: Email filters, pentesting, and awareness training can protect from both
The measures you can take to protect against phishing and spear phishing are largely similar.Â
-
- Email filters: Strong email filters will immediately flag communication that looks suspicious due to incorrect grammar, the unusual arrangement of words and phrases, and unknown file attachments. Filters will even alert you to emails originating outside the organization, even if the attacker manages to spoof a known colleague’s name.Â
- Pentesting: Penetration testing or pentesting involves an external entity adopting a “hacker mindset†so that they can try and break into your system. Also known as ethical hacking, penetration testers can simulate various attack types, including phishing and spear phishing. They would execute both technical and social engineering aspects of the attack to identify where there could be hidden vulnerabilities.Â
- Awareness training: Security awareness training is one of the most effective ways to stave off phishing attacks, as they cannot be carried out without the user’s consent. Awareness training teaches users how to ask for help, spot email fraud, best practices for handling fraudulent emails, etc. It also highlights how hackers can exploit human psychology.Â
These are the five ways in which phishing and spear phishing resemble each other while also being different. Let us understand these differences and similarities with examples.Â
Learn More: 6 Tips to Ensure Users Don’t Take the Phishing Bait
Examples of Spear Phishing and Phishing
Given that phishing is responsible for 93%Opens a new window of all email breaches, there are plenty of examples of both phishing and spear phishing campaigns in recent history.Â
Last month, a police investigation in Australia revealed that a 31-year old Ukrainian citizen residing in the country was conducting a huge phishing campaign impacting people from 11 countries for the last few years. This singular campaign was responsible for 50% of all phishing attempts against Australians in 2019. The hacker came up with phishing tools and distributed them to cybercriminals, facilitating the theft of millions of dollars from ordinary citizens who were duped into revealing their bank login details.Â
This is a classic example of a phishing campaign’s potential reach and why it needs to be detected early to prevent major losses. It also highlights the hesitation of individuals to come forward and challenges in tracing the origin of attacks, precisely due to their generic nature.Â
In contrast, spear phishing is much more targeted, and hackers put in a lot of effort to personalize the messaging to persuade the recipient to act. Consider, for example, the recent phishing attack against Ajour Lingerie customers in the weeks leading up to Valentine’s Day.Â
The attacker sent an email that carried a non-malicious PDF to gain the recipient’s trust. But if someone clicked on the contact page on the embedded website link, they would be redirected to an excel sheet containing macros that would download malware called BazaLoader.Â
In this spear phishing attack, the hacker took the following social engineering measures to deceive recipients:Â
-
- There was a non-malicious PDF attachment mentioning the customer order number and purchased items.Â
- The website link led to a meticulously crafted page, complete with the logo and the right design aesthetic.
- While the address was incorrect, the hacker was careful to select a real address where there was another store in the same category.
- The malware would be installed only if the user tried to track their product location or status — something we all check during a gifting deadline.
As you can see from these two examples, the operational modalities of phishing and spear phishing are entirely different, despite a few similarities.Â
Learn More: What Is Email Security? Definition, Benefits, Examples & Best Practices
Takeaway
ProofPoint’s latest reportOpens a new window reveals important trends in phishing, which continues to be a popular attack tactic. 74% of U.S. organizations experienced a successful phishing attack in 2020, a 14% increase from the previous year. Importantly, over 75% said they faced successful and unsuccessful generic phishing attacks, making it the most common threat type globally.Â
But targeted phishing, while less common in terms of volume, was faced by 66% of companies and involved a greater risk component. Worryingly, just 41% of organizations currently train employees who are specifically targeted by phishing attempts.Â
As these trends suggest, phishing in general and spear phishing in particular (as well as associated attacks like whaling and business email compromise or BEC) should definitely be on your radar for 2021. Measures to protect against phishing – particularly security awareness training, which nips the problem in the bud – should be a top priority on the road ahead.Â
Have you ever been a victim of a phishing or spear phishing attack? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . Â