Phishing vs spear phishing – in what ways are these two types of phishing similar, and what are the differences between them?
If you are reading this, you probably already have some familiarity with phishing, if not through personal experience, then through hearing phishing mentioned and referenced by others around you and in popular culture. Unfortunately, phishing attacks are a very common occurrence – and as the technology we all use every day evolves, so do the ways in which cyber criminals are able to carry out successful phishing attacks.
Any and all forms of phishing are attempts by cyber criminals to gain access to an intended victim’s sensitive information. This could include their their bank account details, login credentials, social security numbers or other personal, identifying information. The primary goal of phishing attackers is usually to steal from their victims, but in some cases the motivating factor can be a desirer to blackmail or spy on the victim for other reasons. Regardless, falling victim to a phishing scam is something we should all do our best to avoid.
Throughout this article, we are going to discuss the characteristics, techniques and agendas behind both spear phishing and regular phishing attacks, as well as look at what you can do to protect yourself against becoming the victim of malicious hackers.
Top 3 VPNs to protect yourself against phishing and spear phishing
One of the most important preventative measures you can take to prevent yourself from becoming the next victim of a phishing or spear phishing attack, is to get signed up with a reputable VPN provider.
Our top three suggestions are ExpressVPN, CyberGhost and NordVPN. All three are premium VPNs, offering you unparalleled security as you browse and use the internet – without having to worry about hackers being able to harvest any of your data or tract your activities.
Regualar phishing attacks
Most of us have probably encountered regular phishing in the course of our day-to-day lives. Regular phishing, or just phishing, is a phishing attack in which the cyber criminal is simply ‘trying their luck.’ They might send out thousands of emails or thousands of automated phone calls all in one go, hoping that a certain percentage of the targeted victims respond and fall for the scam.
Phishing emails are the oldest and most common weapon to be found in the cyber criminal’s arsenal. Thanks to advances in technology, phishing criminals are now able to send out thousands of phishing emails in one go. What this means is that phishing emails are impersonal, and they can be thought of as hooks thrown out by a fisherman in the hopes that a fish will take the bait and bite.
Phishing emails contain malicious links that, if you click on them, will take you to a fake website where you will be asked to put in your personal, sensitive data – i.e. the data that the cyber criminals want to steal so that they can use it to empty out your bank account, claim social security benefits on your behalf, or otherwise use and abuse it for their own ends.
In some cases, phishing emails may contain malware or spyware that will self-install on your computer if you click any links within the scam email.
Phishing phone calls
Phishing phone calls is another common technique used by cyber criminals to get people to divulge their confidential information.
Just as the case is with phishing emails, phishing phone calls are usually sent out to hundreds or thousands of prospective victims at once, rather than being targeted at any one specific individual, and also just like the emails, phishing phone calls are designed to convey a sense of urgency. The scammer impersonates an authority figure and asks the victim to take action – immediately.
Spear phishing attacks
Spear phishing attacks use all of the same techniques as regular phishing attacks, with the crucial difference being that spear phishing attacks are targeted attacks on individuals.
Spear phishing attacks are aimed at specific, individual persons, rather than being aimed at a large prospective victim pool. For this reason, spear phishing attacks are often carefully designed and well-executed. Spear phishers are often more experienced and better at their craft than regular phishing scammers.
And not only that – a spear phishing scammer may take months or even years to slowly build the scam and spin a web of believable lies around their victim.
Spear phishing emails
Just like regular phishing attackers, spear phishing attackers use emails as an important part of their campaign to trick victims.
Spear phishing emails differ from phishing emails by being much more convincing and well put together. Regular phishing emails can be clumsy, full of grammatical and spelling errors, and addressed to no one in particular. Spear phishing emails on the other hand will use your name, and often convey a sense of familiarity.
Spear phishers may use a spoofed email address or the stolen email address of the company executive you work for. Spear phishers are, quite frustratingly, known for exploiting existing trust structures and professional relationships in order to get what they want.
Spear phishing phone calls
Spear phishing attacks are often long and drawn out, slowly progressing from one carefully thought out stage to the next, until the professional scammer has got you corned.
Most spear phishing attacks utilise various channels and technologies to trick you, rather than relying on just one. In other words, a spear phishing scammer is unlikely just to email you, or just to call you. An initial email will often be followed up with a phone call.
Speaking to a real human on the phone is one of the fastest ways to establish trust, and unfortunately phishing scammers do not shy away from using this to their advantage. On the phone, the scammer may impersonate one of your business acquaintances, a prospective new employer, or someone else you are likely to comply with when they request your personal data.
How to avoid getting phished and spear phished
Fortunately, many regular phishing scams are relatively easy to spot. A phishing email attack will often contain multiple spelling mistakes, bad grammar and other signs of sloppy execution. The same is sometimes true for phishing phone calls.
Having said that, cyber criminals always make use of social engineering techniques to get their victims to act fast and overlook any warning signs or alarm bells. Phishing scammers often impersonate authority figures from banking societies or government agencies – and by pretending to communicate on behalf of a trusted and well-known organization, such as for example the IRS, a scammer may sometimes successfully trick their victim into quickly acting as the scammer wishes: By clicking a malicious link, by inputting your credit card details on a fake website, or by divulging other sensitive data over the phone.
Get a VPN
The best way to stop a phishing attack from happening is to prevent hackers from being able to harvest your contact details in the first place. The best way to do this is to sign up with a VPN provider. VPN stands for virtual private network, and a VPN service allows you to access and use the internet without any fear of having your sensitive information collected by bad actors.
A good VPN encrypts all of your personal data and disguises your location – all of the things that a prospective scammer might latch onto and use to contact you in the first place. Our top recommendations for trustworthy VPN services are ExpressVPN, CyberGhost and NordVPN.
Security awareness training
If you are a business owner, you need to make sure your colleagues and works are all clued in on the cyber security risks posed by current technology and the scammers who are all too happy to take advantage when and where they can.
Putting your employees through security awareness training is always going to pay dividends in the long run.
Stop and think before you act
Some spear phishing campaigns can be very, very difficult to spot, but if you ever receive a strange email or a phone call asking you for your sensitive data, stop and consider whether you might be the intended victim of a phishing or spear phishing attempt.
Even (or particularly) if the email or the phone call you receive conveys a sense of urgency, you should always stop and think before you call back or click any links. Take a few moments to research where the email or the phone call may be coming from.
Phishing vs spear phishing FAQ
What is the difference between phishing and spear phishing or whaling?
Phishing, or old-school phishing, if you will, is a type of phishing where the scammer sends out thousands of emails, voice phishing phone calls or text messages, hoping that some of the potential victims take the intended action (this could be opening a malicious attachment within the email or giving the scammer a call back and divulging sensitive data over the phone).
Spear phishing is a more malicious type of phishing, because the scammer targets a specific intended victim, rather than sending out text messages, emails and phone calls at random. Spear phishing attacks are often very well executed, with the scammer sometimes taking months or even years to slowly steal sensitive data from their victim, until they are in a position to initiate illicit money transfers, blackmail the victim or even steal the victim’s identity.
Finally whaling phishing is a form of spear phishing where the targeted attack is launched on a specifically lucrative or famous person or business. In other words, whaling phishing attacks target big game.
What are 4 types of phishing?
The four most common types of phishing are regular phishing (often just called phishing), spear phishing, whaling phishing and smishing (also called SMS phishing).
Regular phishing attacks mostly take the forms of emails or automated phone calls send out to thousands of random people. Spear phishing uses the same techniques, but rather than going after a large batch of potential victims, the scammer goes after a specific person. Spear phishing attacks are usually much better executed and well thought out than regular phishing attacks.
Whaling phishing attacks are the same as spear phishing attacks, but with a bigger victim and a bigger prize. Spear phishing attacks tend to target regular individuals, but whaling attacks might target wealthy or famous individuals or organizations.
Finally, smishing is a phsing technique where the scammer tries to get their intended victim/s to divulge their personal, identifying data via text messages.
Are you protecting yourself and your business from phishing and spear phasing attacks?
If not, then you certainly should be, as professional scammers may already be collecting your personal data and tracking your online activities and contacts.
There are two ways to protect yourself against professional scammers. One is to sign up with a reputable VPN, to limit scammers’ ability to track and steal any of your sensitive data and prevent them from being able to find and contact you in the first place. The other is to learn what you can about the specific techniques and methods professional scammers use, so that you, hopefully, become able to spot and prevent a phishing attack from happening if one is launched at you.