Spear Phishing Attacks


Spear Phishing Definition

Spear phishing is a common type of cyber attack in which attackers take a narrow focus and craft detailed, targeted email messages to a specific recipient or group. 这就要求攻击者研究他们的目标,找到重要的细节,让他们的信息看起来可信——所有这些都是为了欺骗和诱骗有价值的目标点击或下载恶意的有效载荷, or into initiating an undesired action such as a wire transfer.

Spear Phishing vs Phishing vs Whaling

Spear phishing attacks may target just one organization at a time, or even specific teams within one organization. When spear phishing attacks get even more granular, they often go after the biggest possible targets with a laser focus, such as C-level executives or senior managers; this kind of hyper-specific phishing attack is colloquially called a whaling phishing attack.

While, on the other hand, standard phishing attacks 以影响尽可能多的目标为目标,假设一些用户可能会成为诡计的受害者. 这些类型的攻击更为普遍,潜在的攻击者只需较少的努力和输出就可以破坏目标, 而不是试图对高级管理人员或特定组织进行网络钓鱼.

When a criminal sends a phishing email, they cast as wide a net as possible in the hopes of making a catch. To do this, 他们发送垃圾邮件,试图说服不知情的用户点击恶意链接或附件, often while pretending to be from a legitimate source, all in hopes of obtaining sensitive information or valuable credentials.

长期以来,网络钓鱼攻击一直很普遍,因为它们的部署成本很低, yet still effective enough to be lucrative. But as email security becomes more sophisticated, common phishing tactics are becoming easier to flag, 即使是那些到达预定目的地的网络钓鱼邮件也不足以有效地欺骗警惕的用户.

因此,攻击者正在采用新的策略,使他们的网络钓鱼邮件更可信. 最初的网络钓鱼方法——广泛撒网——正在让位于专注于使用真实细节来使潜在受害者相信其合法性的方法. Spear phishing is just one term for this attack style.

Who Does Spear Phishing Target and How Does It Work?

Enterprises are especially susceptible to spear phishing attacks, 因为他们公司的很多数据通常都可以在网上免费获得,攻击者可以在没有任何危险信号的情况下进行挖掘. 公司的官方网站可能是公司特定技术细节和术语的金矿, key company personnel, customers, events, or even the names of internal software tools. Social networks like Facebook, Twitter, 和领英通常不仅提供工作地点的个人信息, or where they've worked in the past, 但是,攻击者只需粗略地搜索一下,就能轻易地发现公司的等级制度.

In a spear phishing email, 这些在网上免费提供的小细节可以帮助攻击者在他们的电子邮件中散布姓名, places, 或者使用足够有效的术语来说服原本精明的电子邮件收件人点击恶意链接. 该链接可能会将他们发送到一个准备捕获敏感内部凭据的网站, 因此,攻击者可以在公司网络上自由漫游,窃取知识产权或客户数据.

For example, by knowing how an organization's internal email addresses are structured, the names of account managers (handily self-identified through LinkedIn), a key customer name (on the company blog), and who the head of sales is (on the corporate website), 攻击者可以制作一封令人信服的电子邮件给整个账户管理团队, purportedly from the head of sales, about an urgent issue relating to one of their biggest customers.

这封电子邮件可能会说,收件人需要在他们公司内部网的一个特定链接上查看备忘录——这个链接看起来很像他们的内部网门户,但实际上是一个恶意的诱饵版本,目的是捕获用户名和密码. 在报税季,金融团队经常成为鱼叉式网络钓鱼攻击的目标, 假装是公司首席执行官或首席财务官发来的,需要紧急审核W2文件. 

How to Prevent Spear Phishing Attacks

所有打击网络钓鱼的常见智慧也适用于鱼叉式网络钓鱼,并且是防御这类攻击的良好基线. 永远不要点击电子邮件中的链接是防止网络钓鱼类攻击可能造成的损害的铁律. That said, 因为鱼叉式网络钓鱼是一种更复杂的老式网络钓鱼攻击, 组织将需要确保他们的政策参考这些更先进的策略,并实施更强大的解决方案,以帮助员工进行相应的防御.


  • 提醒员工时刻警惕带有未经请求的附件和链接的电子邮件, 并发送鱼叉式网络钓鱼危险的提醒,特别是在敏感事件(如.g. after big announcements) or times of year (e.g. tax season).
  • 部署威胁情报解决方案,使用开源和商业威胁情报馈送来实时跟踪和阻止正在使用的网络钓鱼和鱼叉式网络钓鱼活动链接.
  • 实施网络钓鱼意识培训计划,让员工全年牢记防范鱼叉式网络钓鱼的良好安全措施.
  • 使您的员工能够报告可疑的网络钓鱼消息,以便您的团队可以阻止当前针对您组织的鱼叉式网络钓鱼活动.

A robust phishing awareness training program goes beyond classroom training. 最好的培训项目还会定期部署模拟网络钓鱼“测试”,,即向公司员工发送令人信服(但无害)的鱼叉式网络钓鱼邮件. If an employee falls for the phishing attempt, 他们将能够第一手了解这些活动的有效性以及未来需要寻找的内容,同时在受控环境中保持组织数据的安全.

In the fight against spear phishing, employees are the front line, 这就是为什么每个组织都可以从网络钓鱼意识培训项目中受益的原因 phishing protection 让他们的员工保持敏锐,时刻警惕这种不断演变的攻击.