Spear phishing attacks are specific phishing attacks that target individuals through malicious emails. Businesses are frequently targeted as they are used to working with large amounts of money and have multiple employees to target. 

As the name suggests, spear phishing is highly targeted around specific people or groups. Fraudsters will spend a lot of time and research creating very sophisticated emails or messages, pretending to be someone else to trick the reader. In comparison, a standard phishing message will be sent out to thousands of people in the hope that a small percentage of them will click on a link. 

A spear phishing message could look like a regular piece of communication from a client or a contact, but its contents closely imitate a genuine message, making it very hard to spot. 

Fraudsters can use social media to gather a lot of information about your business and employees. They can now also use AI to scan through lots of information and create compelling communications that appear to be completely legitimate. This is why it’s important to know what is publicly available information about your organisation and employees and carefully consider what you share publicly. For example, posting an innocent picture of your holiday on LinkedIn would show that you are out of the office and give the attacker valuable information that you are not at work. 

Only 18% of businesses had tested employees with phishing simulation exercises, found the latest Government Cyber Security Breaches Survey. Yet phishing is by far the most common form of cyber breach, with 84% of businesses stating they have identified breaches or attacks, related to phishing in the last year. 

Some examples of spear phishing attacks:

• Fake invoices or requests for payment

• Business email compromise or spoof emails from owner, directors or CEO of the business 

• Linking to fake websites, with similar domain URLS or domains that are hidden through URL shorteners

• Fraudster posing as a customer service operative from a well-known company 

• Impersonating security alerts 

• Spoofing business services, such as delivery companies with fraudulent links

• Charitable requests 

• Fake job offers through LinkedIn 

• Fraudsters using social media to befriend people and then defraud them 

Not only is it important to ensure that your employees fully understand how to spot a phishing or a spear phishing attack, but it’s also really important to ensure you understand how to protect your business from being imitated by fraudsters. 

What to do if you receive a spear phishing attack and have clicked through on a link:

• Contact your IT team (if you have one) 

• Report it to Action Fraud in the first instance 

• If you believe the device now has malware, disconnect your device from the internet

• Check your banking to see if any unrecognised money has left the account. If you’re concerned about a specific transaction, call your bank immediately (making sure you look up the correct number).  

• If you have clicked on a link to a spoofed website, then log into the genuine website and change your password to a very secure one. 

• Ensure you have backups of all of your work documents and data and that they are kept up to date. 

• Schedule in cyber security training for you and your employees to prevent future attacks

How you can protect your business against spear phishing

The NWCRC allows small organisations to review online information through our affordable Risk Exposure Assessment and Digital Footprint Assessment to help them understand the risks of publicly available information, alongside Security Awareness Training and Simulated Phishing Exercises to help build resilience in your organisation.