How does spear phishing work?

I don’t know about you, but up until recently, fishing was what you did with a rod and reel and spearfishing involved having a spear gun and a wetsuit, usually on some tropical beach. But, ever since the ph got swapped for the f the result is anything but fun.


Get your free eBook -  Cybersecurity Tips for Employees

Phishing (with the ph) is when an attacker sends e-mails or calls you to try and get you to either click on a malicious link, go to a malicious website or run a malicious application. Spear phishing is the next step in this evolution. It is where the bad guys will look through any information that they can get on you to try and make the phishing look more real and relevant to you.

For spear phishing, the attackers best tools are social media and what you put up on it. What they will do is look through what you put up and see what they can use to trick you. As an example, if you put up on LinkedIn that you used to work at XYZ corporation and you are linked to Fred Smith who also worked at XYZ corporation at the same time, they may create a new g-mail account and call it They may then find from Fred Smith’s LinkedIn account that he is linked to Sue Jobs who also worked at XYZ Corporation at the same time and then they can send an e-mail from their newly setup g-mail address with a content that pretends to be from your old work colleague Fred Smith, and that Sue Jobs has been in a major accident and that all her friends and colleagues are sending their best wishes on the linked page and that any donations to assist with her hospital costs can be done easily by credit card on the page.

The link will take you to a domain that the bad guys own, and the credit card details can be harvested for them to use. They will also get verification of your e-mail address, and probably repeat the process, swapping the people around for both Fred Smith and Sue Jobs.
Other things that may be used are the photos of the holiday that you just had in Queensland with your family. If there are a number of photos of you and your family outside the Smith Hotel at Broadbeach in your public Facebook profile, they may send an e-mail pretending to be from the Smith Hotel and claiming that they found a child’s jacket (with description from one of your photos) left in your room and if you can fill in your details on the linked form they can organise to get it delivered back to you. This will provide them with your home address and personal contact details which can be sold or used in future attacks.

Even something as simple as an “Out Of Office” message can provide a number of ways that you could be approached. If your out of office message was something like:

You have contacted Joe Michaels of ABC Corp. I am currently on leave until the 27th of March. In the interim, please contact my assistant Simon Black on or 9877 9877.

The attackers could then call up, when you are back in the office and then start talking about how they were working with Simon last week on a new project and that they just need to grab a few details from you to progress. From your title which is in your mail footer, they know your role so that the project can be something relevant. They will make it sound big, but there will be some dire reason for urgency, and if they can’t get the details now it will all fall through. They will often send you to a website they own or send through an e-mail with a link to their website. Because they are on the phone with you and the e-mail arrives while they are talking to you, most people will be a lot less thorough with checking it over an unexpected e-mail.

They will also often combine information from multiple sources (i.e. your LinkedIn, Facebook and “Out Of Office” together) to make the attack look more real.
You don’t have to be a CEO or board member to be attacked in this way. If an attacker can compromise anyone in an organisation, they can then use the information gained here to move up the chain to a person that has more value to them. If you are a CEO or board member, you will be more trusting of an e-mail that comes (or appears to come) from a staff member, especially if all the details like the reply address, footer and the wording style match that person.

These are the basics of spear phishing, but the bad guys are already improving these attacks. Some of the newer versions of spear phishing include:
Whaling – This is spear fishing that targets the victims’ role, usually by an attacker with knowledge of that role so they can make the attack more real.
Clone phishing – This is where an attacker gets a legitimate e-mail that you have already received and resends it usually just changing the link to click, and maybe the date (i.e. a password expiry e-mail or a competition, 2nd chance draw, etc.).
Common things to look out for to help with spotting these include:

  • Spear Phishing will almost always be something urgent, people in a rush aren’t as thorough, and will often miss details they might otherwise see
  • Come from addresses that aren’t exactly the ones you know, but will be made to look like them
  • Will often have a sending address that is different to the reply address (when you do a reply the address doesn’t match the from address).

If you are ever in doubt about an e-mail, ask your IT team. They should always be happy to check it for you as a quick check is much better than cleaning up after a data spill or crypto locker event.
I hope that this information may help to keep you safe out there.

New Call-to-action


We take great pride in partnering with organisations. Our team specialises in developing customised solutions to help you get the most out of your technology.

Posted by James Russell

Subscribe to our blog