Phishing vs. Spear Phishing: What's the Difference?
Phishing and spear phishing are email impersonation attacks. Learn about the difference between the two and how to prevent both.
- Spear phishing is a more targeted, sophisticated version of phishing that typically seeks bigger payoffs.
- Spear phishing uses social engineering tactics to impersonate colleagues, clients, and vendors.
- Awareness training remains the first line of defense against phishing and spear phishing, and should involve all levels of the organization, including top management.
- Technology tools provide protection by scanning and filtering malicious emails, applying advanced techniques such as behavior analytics, artificial intelligence, and machine learning.
What is Phishing?
Phishing is a type of cybercrime where attackers pose as a trusted or legitimate business to dupe an individual into sharing information such as bank account numbers, credit card details, login credentials and other sensitive data, and/or to download a phishing virus onto the user's computer.
At this point, most organizations, and even everyday users, are familiar with phishing. Many have received those email messages claiming to bear a prize or warning of an imminent account lockdown, then asking them to click on a link or download a file. The standard phishing scam usually involves spamming email boxes by the thousands to get users to send money, reveal personal information, or unwittingly download malware onto their company’s network.
What is Spear Phishing?
Spear phishing, also known as business email compromise (BEC), is a more specialized attack that uses personal information, gleaned from online sources such as social media and caches of stolen identities sold on the Dark Web. What makes spear phishing attacks differ from standard phishing attacks is the use of emails that impersonate a colleague or client, sometimes including a familiar-looking address or website.
What is Whaling?
“Whaling,” also known as CEO or CFO fraud, is an even more specialized kind of spear phishing using emails that claim to come from top company officers or other “big fish.” These might ask for sensitive data or request payment of a fake invoice or a wire transfer to an account controlled by cybercriminals.
Understanding the Difference Between Phishing and Spear Phishing
While most phishing casts a wide net that relies on volume emails, hoping for a few unlucky takers, spear phishing, as the name implies, is a more targeted crime. Phishing emails can often be spotted easily by checking the sender’s email address; a string of random letters and numbers is a dead giveaway.
Not so with spear phishing, which makes sophisticated use of social engineering for BEC. These attacks rely on spoofing real email addresses or taking over unused email accounts of legitimate users — including emails of former employees that were not inactivated — to impersonate clients, colleagues, or vendors.
Spear phishing and BEC outcomes can be costly. Some attackers steal network access credentials in this way, then inject malware and ransomware into the organization’s network. In other cases, attackers may intercept supplier emails to glean accounts payable information and divert payments to their own accounts. They may spoof the addresses of top managers to send fraudulent emails. Or they may use compromised credentials to hijack company email accounts.
While standard phishing is a volume business, spear phishing goes big; cybercriminals use it as a tactic for stealing large sums or mounting ransomware attacks. Not coincidentally, some of the most damaging cyberattacks have been a result of spear phishing exploits.
Phishing and Spear Phishing: A Bigger Threat Than Ever
Phishing has become a fact of life for organizations. Fully 96% reported being targeted by phishing attacks with malicious links or attachments last year, in Mimecast’s State of Email Security 2022 survey. Spear phishing is not far behind, with 92% of survey respondents reporting BEC and impersonation attempts.
BEC is the costliest cybercrime in the U.S. Over $43 billion was reported lost to BEC scams from mid-2016 to the end of 2021, the FBI recently announced, which only gives a sense of the problem, since not all successful attacks are reported. According to How to Reduce the Risk of Phishing and Ransomware, a Mimecast-commissioned report from Osterman Research, nearly half of the companies polled reported that phishing emails had caused malware infections and compromised their accounts. The survey found 53% of companies suffered a BEC attack that tricked at least one low-level employee and 28% suffered a BEC attack that tricked a senior staffer.
The pivot to remote work during the COVID-19 pandemic created a prime opportunity for cybercriminals, who used the emergency as bait in many of their messages and took advantage of security lapses among staff working from home. In 2021, the Mimecast Threat Center found employees worldwide clicking on malicious URLs inside emails three times more often than they had before the pandemic.
How to Protect Your Organization from Phishing and Spear Phishing Attacks
Stopping phishing and spear phishing requires a multilayered approach and buy-in across the organization, including:
- Awareness training: This remains the first line of defense against phishing and spear phishing for most organizations. The Osterman report put training second only to multifactor authentication (used to stop fake credential use) as the most effective cybersecurity measure. Security training can teach staff how to spot phishing emails to avoid suspicious-looking links or attachments that could carry malware. It can train them to spot signs of a spear phishing attack and double check those requests for information or payment before fulfilling them. Training should include all members of the organization and partners who have access to the company network. With the proliferation of BEC involving top management, the C-suite should also keep up their training.
- Email filters: Security tools can scan incoming emails in real time using blocklists of email addresses or allowlists of secure sites to keep users from clicking on links to suspicious websites. They can also look over archived emails to defend against malware lurking in unopened mail and dormant mailboxes. Some filters can isolate suspect emails in a sandbox where they are safely scanned before being delivered, and an attachment can be transcribed into a safe file that will neutralize any malicious code it carries. Tools incorporate intelligence about new scams to head off emerging threats. Some filters leverage machine learning to improve their automated threat detection.
- Behavior analytics: Impersonation scams such as CEO fraud require a more sophisticated level of email vetting than needed to prevent run-of-the-mill phishing attacks. Filters leveraging behavioral analytics can help stop whaling by searching the address information and content of messages for signs of social engineering techniques common to spear phishing attacks and to spot activity that diverges from a user’s common behavior, such as emails sent from a device or location not associated with that user. With the use of artificial intelligence and machine learning, these tools can also adapt to keep up with emerging threats.
The Bottom Line
The difference between phishing and spear phishing may come down to numbers — as in, high-volume, low-dollar phishing attacks vs. low-volume, high-dollar spear phishing exploits. But both threats present a real and growing security problem. Awareness training is still the first line of defense to prevent all forms of phishing, but security technology keeps evolving to defend in real time against both phishing and spear phishing. The important question is not phishing vs. spear phishing, but defending the organization vs. taking a chance. Learn more about Mimecast’s defenses.
 “Business Email Compromise: The $43 Billion Scam,” FBI
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!