Spear Phishing Attacks: Targeted Email Fraud Explained

Common Tactics

• • Research targets extensively through LinkedIn, corporate websites, and social media to gather names, titles, relationships, current projects, and communication styles, then incorporate this information into emails that appear internally generated.
• • Impersonate executives or high-ranking officials by creating nearly identical email addresses (changing one character or using different domains) and mimicking writing styles to request urgent wire transfers or sensitive information from subordinates.
• • Compromise legitimate email accounts through previous breaches, then use these authenticated accounts to send malicious requests to contacts, exploiting established trust relationships within organizations.
• • Time attacks strategically around end-of-quarter deadlines, holidays, or known business events when targets are rushed or key personnel are unavailable to verify unusual requests through secondary channels.
• • Embed malicious links that lead to convincing replica login pages for Office 365, Google Workspace, or corporate VPNs, harvesting credentials when victims attempt to authenticate, then using stolen access for further attacks.
• • Create elaborate pretexts involving ongoing projects, vendor relationships, or regulatory compliance requirements that pressure targets to act quickly without following normal verification procedures or obtaining additional approvals.

How to Identify

• Email addresses that closely resemble legitimate corporate or colleague addresses but contain subtle differences like extra characters, misspellings, or alternative domains ([email protected] instead of @companyinc.com).
• Unusual urgency or secrecy in requests, particularly demands to bypass normal procedures, avoid telling supervisors, or complete actions before specific deadlines without adequate explanation for the rushed timeline.
• Requests for sensitive actions that arrive during off-hours, holidays, or when the supposed sender would normally be unavailable, especially wire transfer requests from executives who claim to be traveling or in meetings.
• Slight inconsistencies in writing style, tone, or formatting compared to how the impersonated person normally communicates, including unusual greetings, signature blocks, or phrasing that seems out of character.
• Login pages reached through email links that have suspicious URLs not matching the official domain (microsof-login.com instead of microsoft.com) or lack proper security certificates (no HTTPS padlock icon).
• Requests referencing projects, relationships, or details that seem accurate but contain small errors, outdated information, or details that could have been gathered from public sources rather than internal knowledge.
• 소셜 미디어, 기업 웹사이트, 공개 기록을 통해 광범위하게 조사한 후 이름, 직책, 관계, 현재 프로젝트, 통신 스타일 등의 정보를 수집하여 내부에서 생성된 것처럼 보이는 이메일에 통합합니다.
• 임원 또는 고위 관계자를 사칭하기 위해 거의 동일한 이메일 주소(한 문자 변경 또는 다른 도메인 사용)를 만들고 작성 스타일을 모방하여 부하 직원에게 긴급 송금이나 민감한 정보를 요청합니다.

How to Protect Yourself

• Implement and enforce multi-factor authentication (MFA) on all email accounts, cloud services, and financial systems to ensure that stolen credentials alone cannot grant attackers access to critical systems or data.
• Establish out-of-band verification procedures requiring phone calls or in-person confirmation for any wire transfers, credential requests, or changes to payment information, using known phone numbers rather than contact details provided in suspicious emails.
• Conduct regular security awareness training that includes realistic spear phishing simulations specific to your organization, teaching employees to recognize personalized attacks and creating a culture where questioning suspicious requests is encouraged.
• Configure email security systems to flag or quarantine emails from external sources that closely match internal addresses, and implement visual warnings on all external emails so recipients can quickly identify correspondence originating outside the organization.
• Restrict publicly available information about organizational structure, employee roles, current projects, and internal processes on corporate websites and social media to limit the intelligence attackers can gather during reconnaissance phases.
• Develop and enforce clear approval workflows for sensitive actions like wire transfers above specific thresholds, vendor payment changes, and access to confidential data that require multiple authorized individuals to complete, preventing single points of failure.

Real-World Examples

Where to Report — United States

Official channels in your region for reporting this scam.