Spear Phishing Examples to Watch for at Home and Work

September 17, 2020 • April Miller


One of the most challenging cybersecurity aspects is that online criminals continually tweak their tactics to increase the likelihood of fooling a larger number of people. Spear phishing shows that approach in action. Let’s take a look at what it is, then go over some spear-phishing examples that you may encounter while at home or work. 

What Is Phishing?

Phishing is a type of cybercrime that occurs when a person creates a message that impersonates a legitimate individual or company to try and get sensitive details from the recipient. 

The goal is to trick as many people as possible with this method. The messages will usually address you as “Dear customer” or something similarly vague. They also do not include specific details. Some of the bogus messages could relate to things like: 

  • Unpaid invoices
  • Frozen accounts 
  • Contest winnings
  • Past-due taxes
  • Incoming shipments
  • Payroll updates
  • Compromised bank accounts
  • Job offers

How Does Spear Phishing Differ From Phishing?

Spear phishing also aims to get sensitive details from victims, and the formats could be the same as those on the list above. However, it’s different from phishing due to the highly targeted methods used. For example, you might get a spear phishing email at work that includes your first or full name, plus tells you to provide information related to a genuine shipment that’s on the way. 

Most successful spear-phishing attacks require the perpetrators to conduct careful research to make the messages seem as realistic as possible. They often use social engineering methods to make the recipients believe the content has so many accurate details that it couldn’t be anything other than real. If cybercriminals target groups with this method, all the recipients have something in common, such as working at the same company. 

Now that you know what spear phishing is and how it’s different from standard phishing attacks, let’s look at some spear phishing examples to make you more aware of this internet crime and how it manifests. 

Encouraging People to Check Their Medical Test Results

Some spear-phishing campaigns don’t target specific individuals, but they aim to lure people from certain industries. Such was the case with a malicious email message claiming to contain the results from an HIV test. The emails also had a virus-filled Excel attachment that would let a hacker take total control of an infected system. 

A cybersecurity researcher who helped uncover this scheme said it did not appear that the criminals had access to the victims’ medical history. Evidence suggested, though, that the perpetrators focused on people from particular sectors.

One telltale sign of the fakery with this attempt was that those behind it misspelled the name of the health facility that supposedly sent the messages. Another warning sign of this spear phishing campaign and many others was the focus on urgency.

People who received this message and did happen to get tested for HIV would almost certainly click on the email. Those that didn’t might open it anyway out of curiosity.  

Tricking Workers With Form-Based Phishing Attacks

Researchers have also noticed an uptick in spear phishing associated with online forms, such as those seemingly originating from Google. A team found that such attempts comprised 4% of all spear-phishing attacks in the first quarter of 2020. 

One possible reason for the prevalence is that more people are working from home and more reliant on collaboration and file-sharing software. Remote working means people don’t have IT staff members nearby that they can ask if anything seems amiss. 

This type of form-specific approach is harder to detect than some other spear-phishing examples, too. That’s because cybersecurity experts determined that it shows up in several ways. 

In one case, people arrive at a bogus site after clicking on a real link for a trustworthy service. A redirect link makes individuals end up on the harmful site, which requests that they provide information to view a file. Another version of the attack had perpetrators using well-known form builders to create misleading login pages that stole credentials. 

Spear Phishing Awareness and Safety

The spear-phishing examples above are only a sampling of the tactics cybercriminals concoct to fool their victims. Here are some message characteristics that are cause for concern:

  • Spelling and grammar errors
  • Warnings that you must act immediately
  • Requests to click a link or download a file
  • Instructions to provide personal information

Keep in mind that a spear-phishing email could target only you, people in your department, those working in the whole company or individuals in particular industries. Specificity is the main factor separating spear-phishing campaigns from generalized phishing attempts.

The top thing you can do to stay protected against spear phishing is not to act hastily. Even if the message you get concerns an urgent matter, take the time to contact the sender through a separate channel to confirm its legitimacy.

For example, if you receive an email from your bank asking you to provide details to restore your account, contact the financial institution by phone before taking any action associated with the email itself. Do not reply to the message to ask if it’s real.

Spear phishing is becoming an increasingly popular way for online criminals to get valuable — but private — details from the people they target. Staying abreast of any new tactics as they emerge so that you’ll remain informed as things evolve is an excellent commitment to make moving forward.