Spear phishing 101

Phishing attacks are now considered to be the most disruptive type of cyber-attack that organisations face according to Cyber Security Breaches Survey 2021. One in every 3,722 emails in the UK is now a phishing attempt, according to software company Symantec, so it’s highly likely you’ve received one yourself.




What is a phishing attack?

Where a criminal impersonates a familiar and trusted sender through a legitimate looking email sent to targeted individuals, which usually asks the recipient(s) to divulge sensitive information or to make a financial deposit.


Does this sound familiar?


You receive an email from your bank saying your business account has been locked and a large payment is waiting and all you need to do is click the link to reset access.


The bank is the same as your own (your details were taken from an old data breach) and the payment matches a customer (the same brilliant one you thanked on social media). The link will then take you to a fake banking website and when you enter your details, the criminals will take them and access your real account.


Another favourite is the fake email from your boss. Cyber thieves can easily find names on a company website and if that person has an open social media account and posts about meeting a client or detailing where they will be, this can also be leveraged to launch a convincing attack. When an email lands from them saying, ‘I need this done today – I am out of the office but transfer £10,000 to [client name’s] account now.” Do you think you or your colleagues would you stop to question its validity?


So where do they get their information from?


- Social media posts – both personal and professional

- Website details – the names and positions of people within the company

- Companies House information

- Previous data breaches – this is very common. Criminals will get hold of personal data and then use that information to compel you to download an attachment or click a link: ‘Dear John, your password THEREDDOG has been compromised. Please click here to reset your password now.’


To help you tackle cyber-attacks such as spear phishing, we have compiled a list of recommendations below:


- Staff awareness training – ensure your staff know what phishing is and the common things to watch out for. The ECRC offers this training as a stand-alone service or through core membership, corporate and individual internet investigations provide an affordable way to understand what could be used in spear phishing and how to mitigate this. In the meantime, why not take two minutes to read our phishing blog?


- Consider technical implementations which will alert you to the sender’s veracity. Click on the link to learn more about phishing attacks and how you can defend your business.

- Always be cautious of any email which has urgency together with payment requests or downloads


Do get in touch to let us know how we can help you build on your cyber resilience. To keep up- to-date on the latest threats then sign up to our core membership or explore our other membership packages which may be better suited to your needs.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.