Spear Phishing: Cybercriminals Are Successfully Scamming SMBs

Spear Phishing: Cybercriminals Are Successfully Scamming SMBs


All organizations that will still be around in five years have at least a basic awareness of the threat posed by phishing, the fraudulent practice of sending seemingly legitimate emails to trick their recipients into revealing sensitive information or eliciting a certain action.

The same organizations, however, often don’t know that phishing attacks have evolved considerably since the early days of Nigerian prince-style email scams. Modern phishing attacks are highly targeted, extremely difficult to detect, and potentially devastating.

The new breed of phishing attacks is so different from early phishing attacks that cybersecurity experts have a rather descriptive name for it: spear phishing.

What Is Spear Phishing and Why Should I Be Worried About It?

Back in the day, phishing attacks were comparable to large-scale commercial fishing operations involving huge nets intended to catch tons of fish in one go. For some time, this type of phishing yielded pretty good results because it was new and because its victims had never encountered it before.

As the awareness of phishing increased, cybercriminals started to notice that their huge nets are becoming increasingly empty. Determined to do something about it, they decided to change their tactics and start focusing on specific well-researched targets, which is how spear phishing was born.


Kaspersky, a multinational cybersecurity and anti-virus provider, defines spear phishing as an email or electronic communications scam targeted towards a specific individual, organization, or business, often intended to steal data for malicious purposes.

Spear phishing attacks exhibit several distinct characteristics that separate them from old-school phishing:

  • They come from a seemingly trustworthy source (business, colleague, government agency).
  • They are well written and contain relevant information.
  • They are not flagged by email security software as spam.
  • The reputation of the sender’s IP address is good.
  • There are (at least in the early stages) no attachments to download or links to click.

Because of these and other characteristics, spear phishing attacks can be highly effective at tricking even otherwise security-savvy email users into doing something that’s against their best interest.

In fact, an earlier edition of Symantec’s Internet Security Threat Report revealed that spear phishing was the primary infection vector among organized crime actors, employed by 71 percent of groups. Since the coronavirus pandemic forced many organizations to leave their offices and switch to remote working, spear phishing attacks surged in number.


Contrary to popular belief, cybercriminals behind spear phishing attacks don’t throw their spears solely at large enterprises. According to the 2021 State of the Phish Report published by Proofpoint, 35 percent of all organizations have personal experience with spear phishing, and the number doesn’t even include organizations that haven’t realized that they’ve been phished.

Spear Phishing Versus Whaling

Spear phishing goes hand in hand with a cyber threat known as whaling. Essentially, whaling is a subcategory of spear phishing that targets high-level executives instead of regular employees. Typically, the goal is to trick the victim into authorizing wire transfers or disclosing some valuable information.

How Can I Protect My Organization Against Spear Phishing?

Spear phishing attacks are so effective because many organizations, especially SMBs, do very little to protect themselves against them. The good news is that it doesn’t take that much effort to make it substantially more difficult for cybercriminals to get what they want. Here are some concrete steps you can take to better protect yourself:

  • Security awareness training: Spear phishing attacks rely on social engineering to circumvent traditional cybersecurity defenses. To successfully fight them, you need to empower your employees with the knowledge and skills necessary to detect them. Make sure that your security awareness training is more than a once-a-year box tick otherwise it’s unlikely to yield the desired results.
  • Open lines of communication: One objective of spear phishing-oriented security awareness training is to teach employees to always verify suspicious requests. That’s easy to do when working in the office, but many organizations have switched to the hybrid work model, so it’s critically important to open additional lines of communication, such as instant messaging and VoIP, over which suspicious requests can be verified.
  • Mind what you share on social media: Reconnaissance is the key to spear phishing, and cybercriminals don’t have to search too much to find what they’re looking for these days. In many cases, there are heaps of information on their targets available on social media sites like LinkedIn, Twitter, and Facebook. Before posting on social media, put yourself in the shoes of a phisher and think about how the information you’re about to post could be used for nefarious purposes.
  • Improve your password security: Internally compromised accounts are responsible for 13 percent of all spear phishing attacks, so strengthening your password security should be your top priority. You can start by updating your password policy so that it reflects the latest password best practices, including the use of multi-factor authentication.
  • Simulate spear phishing attacks: To raise awareness of spear phishing risks and evaluate your ability to defend yourself against them, it’s a good idea to simulate spear phishing attacks, using the same tactics real cybercriminals would use.

As a professional IT service provider with locations in Miami, Orlando, and Tampa, we at BCA can help you implement all of the above-described spear phishing protection steps so that you can maintain focus on what you do best. The only step you need to make on your own is to contact us.