Spear Phishing: How Targeted Email Attacks Lead to Terrible Outcomes
2.8 Minute Read
No.. not that kind of spear fishing.
In our previous blog we mentioned about the warning, from the NCSC, of phishing attacks. This follows on from there.
You likely have protections against viruses, hackers, and online fraud (hopefully through Saturday Cloud!). But your employees remain vulnerable to personalised spear phishing emails tricking them into handing over data and access behind the safety gates. Employees, known as Human Firewalls to us, are the first and best line of defense. Two local incidents illustrate spear phishing risks:
A financial executive wired almost £200,000 to criminals after an email seemingly from the CEO demanded urgent transfer to close an acquisition. But it was later found that the CEO’s account was compromised after clicking phishing links about bonuses months earlier, giving access for fraud. The attackers had been monitoring the CEO’s emails for months, waiting for the perfect time to strike.
An administrator at a solicitor firm entered payroll credentials into an exact replica login page on the web after an email message warned expired passwords caused late payments. The database access netted thousands in stolen funds by payroll diversion over months before detection. The bogus email message contained a link to a mockup webpage that looked almost identical to the web page the solicitors used.
In both cases, savvy doppelganger messages forced quick actions, by playing on the emotions for the victim, bypassing scrutiny. Even extensive controls can’t stop people from handing the keys to the kingdom over to criminals who persuade just right.
Defending Against Spear Phishing
Multi-layered awareness and systems disempower targeted phishing, including:
Simulated spear phish tests with personalised prep and realism
Policies - having them in place will provide step by step guidance around critical roles (such as payroll)
Automated sender verification like DMARC/SPF evaluations (stops domain spoofing)
Isolating access permissions and verifying changes
Building a resilient culture through continuous training, system checks, verification habits, and privilege control reduces reactionary judgement calls. Spear phishing leverages human trust - an advantage policies and caution neutralises.
Interested in a free phishing training demo? Contact us at hello@saturday-cloud.com to experience prototyped protections first-hand without risk. You can read more on our training page here: https://www.saturday-cloud.com/cyber-security-training