According to the Ministry of the Interior, one in five crimes is committed online. In 2022, the State Security Forces and Corps recorded 375,506 cyberattacks, 72% more than those recorded during 2019, the reference year before the COVID-19 pandemic. Most cyberthreats take the form of computer scams and fraud, with 336,778 reports of this type of offence.
Of all these cyberthreats, phishing is one of the most frequent cyberattacks. According to the APWG’s Phishing Activity Trends Report, in 2021 phishing attacks reached an all-time high, with more than 300,000 attacks recorded in December. The report reveals that this crime has tripled in less than two years.
However, phishing is nothing new, as the term was coined in 1996 by the Usenet newsgroup. On the other hand, there is spear phishing, a more recent attack that emerged in 2003, when scams began to target users rather than organisations.
What is phishing?
Phishing is a type of computer scam that is based on social engineering. It consists of sending mass e-mails impersonating the identity of companies or public bodies. These fraudulent e-mails ask the recipient for their personal or bank details, such as their online banking password or credit card number.
At first glance, a phishing email is difficult to detect, as the cybercriminals give it a corporate image by impersonating the company or official body, using the organisation’s logo or corporate image. However, it is sometimes possible to detect grammatical errors and check that they include attachments infected with malicious software such as ransomware, or links to suspicious websites, which can be of great value for judicial investigation.
What is spear phishing?
Spear phishing is a specific form of phishing mail. This computer threat also attempts to trick the victim through well-structured spoofed emails, with the aim of capturing sensitive data, such as bank account credentials. They also make use of malicious links and files so that the recipient downloads them unwittingly and, as a result, the attacker can gain access to the user’s device.
In this case, the victim is carefully studied for weeks or even months. In this way, the cybercriminal gathers information about the victim’s habits and interests in order to design the scam individually.
Differences between phishing and spear phishing
Although both scams are developed on the basis of social engineering and are spread not only through e-mails, they can also occur via SMS, so-called smishing, social networks, messaging platforms and even by voice, and in all cases they do so by impersonating trustworthy entities. The main difference between phishing and spear phishing lies in the target of the cyberattack.
Phishing is not a one-to-one strategy; in this case, attackers create an email to spread it to multiple users on a massive and random basis. In contrast, spear phishing is fully personalised, and is sent to a small number of users or even to a single person or company. Because of its personalisation, it is harder to detect, as it appears more credible.
The cybercriminals behind spear phishing collect data on the target user over a certain period of time, analyse social networks, forums, blogs and other digital media. It is therefore more complex to execute, as a strategy needs to be established beforehand. Likewise, this threat generates a higher success rate, as users are more easily tricked.
Regarding the tone of the message, spear phishing uses a style familiar to the user. On the other hand, phishing is generalist, using a formal and protocol tone following the corporate identity of the impersonated company.
How can you protect yourself against fraudulent mail?
First of all, to avoid spear phishing or phishing, it is advisable to read the message carefully. In general, users do not have the necessary knowledge of cybersecurity, but there are certain tricks to detect a fraudulent e-mail. Mostly, many of these messages have spelling mistakes or grammatical errors.
Both scams often contain links to download and install malicious software on the recipients’ devices, with the aim of stealing information. Consequently, it is essential not to click on links attached to suspicious mail.
Disseminating confidential personal or business data should also be avoided. Email is an essential tool nowadays, but, as a precaution, it is advisable that confidential or sensitive data is not exchanged via email if you are not 100% sure of the source of the message.
Implementing cyber security strategies and training employees and users in organisations can help to take measures and prevent cyber attacks. Mainly, these strategies have to focus on anti-phishing or anti-spam solutions in order to block all possible threats.