Spear phishing 101

For phishing awareness training or just for a chat, get in touch with us at main@cybermonkey.net.au

Code Monkey Cybersecurity’s Phishing Awareness Training

The Basics $12.99 per person, per month $10.99 per person, per month (paid annually - save 15%) ✓ One simulated phishing email to each staff member approximately every 10 days ✓ Monthly reporting & analysis ✓ Free 1hr initial onsite education and introduction ✓ Simulated phishing attempts tailored to you based on publically

Code Monkey CybersecurityHenry Oliver

This builds on foundations which we covered in Phishing 101:

Phishing 101

Phishing 101. What is it? Why should you care? How can training help?

Code Monkey CybersecurityHenry Oliver

Now, let me build on that foundation to explain spear phishing. If regular phishing is like commercial fishing with a large net, spear phishing is like spearfishing - targeting a specific fish with precision. This is where things get more sophisticated and dangerous.

My understanding of spear phishing centers on personalization and reconnaissance. Unlike mass phishing campaigns that send generic messages to thousands of people, spear phishing involves researching specific individuals or organizations and crafting highly personalized attacks. The attacker might spend weeks or months gathering information about their target from social media, company websites, leaked databases, or other sources.

Here's why spear phishing is so much more effective: When you receive an email that references your recent project, mentions your colleague by name, uses company-specific terminology, and appears to come from your actual boss's email address, your defenses naturally lower. The cognitive load of constantly questioning every communication would be exhausting, so we rely on these contextual clues to determine legitimacy - and attackers know this.

Let me give you a concrete example to illustrate the difference. A regular phishing email might say "Dear Customer, your PayPal account needs verification." But a spear phishing email might say "Hi Sarah, following up on our discussion at yesterday's marketing meeting about the Q3 campaign budget. I need you to review these invoices before I present to the board tomorrow. - John (sent from my iPhone)." The second one uses specific names, references real events, implies realistic urgency, and even includes touches like the mobile signature to explain any formatting oddities.

The evidence from actual breaches shows that spear phishing is devastatingly effective. The success rate jumps from around 3% for generic phishing to over 70% for well-crafted spear phishing attacks. This is because it exploits not just general human psychology, but specific trust relationships and organizational dynamics.

Next, you'll want to know about Whaling:

Whaling 101

If you haven’t read Phishing 101 or Spear Phishing 101, you’ll want to do that. Now for the apex predator of phishing attacks - whaling. Following our fishing metaphor, if phishing catches whatever swims by and spear phishing targets specific fish, whaling goes after the biggest catches of all: senior

Code Monkey CybersecurityHenry Oliver

For phishing awareness training or just for a chat, get in touch with us at main@cybermonkey.net.au

Code Monkey Cybersecurity’s Phishing Awareness Training

The Basics $12.99 per person, per month $10.99 per person, per month (paid annually - save 15%) ✓ One simulated phishing email to each staff member approximately every 10 days ✓ Monthly reporting & analysis ✓ Free 1hr initial onsite education and introduction ✓ Simulated phishing attempts tailored to you based on publically

Code Monkey CybersecurityHenry Oliver