Legal Definitions - Spear phishing

Spear phishing is a highly targeted form of cyberattack where an attacker sends a fraudulent email or message to a specific individual, group, or organization. Unlike general phishing, which casts a wide net, spear phishing messages are meticulously crafted to appear legitimate and relevant to the recipient, often leveraging personal details or professional context to build trust. The primary goal is to trick the recipient into revealing sensitive information, clicking a malicious link, downloading malware, or performing an action that benefits the attacker.

• Example 1: Corporate Finance Department

  An attacker researches a company's executive structure and sends an email to the Chief Financial Officer (CFO) that appears to come from the Chief Executive Officer (CEO). The email urgently requests the CFO to authorize a wire transfer to a new vendor for a critical project, citing a tight deadline and a need to bypass standard approval processes. The attacker has likely gathered information about ongoing projects or company initiatives to make the request seem plausible.

  This illustrates spear phishing because the attack is specifically directed at the CFO, impersonates a known authority figure (the CEO), and uses a contextually relevant and urgent request (wire transfer for a project) to manipulate the recipient into taking a specific action that would financially benefit the attacker.

• Example 2: University Student Data

  A university student receives an email that looks like it's from their academic advisor, referencing a specific course they are enrolled in. The email states there's an urgent issue with their registration for that course and asks them to click a provided link to "verify their details" immediately to avoid being dropped. The link, however, leads to a fake university login page designed to steal their student credentials.

  This is a spear phishing attempt because it targets a specific individual (the student), uses a personalized sender (their academic advisor), and leverages relevant information (a specific course and registration issues) to trick the student into revealing their login credentials.

• Example 3: Government Contractor Employee

  An employee working for a defense contractor receives an email seemingly from a colleague in a different department, with whom they have previously collaborated on a project. The email contains an attachment labeled "Updated Project Specifications - [Project Name].docx" and asks the recipient to review the changes. Unbeknownst to the employee, the attachment contains sophisticated malware designed to infiltrate the company's network once opened.

  This exemplifies spear phishing because the attacker targets a specific employee within a sensitive organization, impersonates a known colleague, and uses a relevant and seemingly harmless document title related to their work to induce them to open a malicious file, aiming to gain unauthorized access to the contractor's systems.