Book a Demo
Demo Centre

Emma Woods

The Three Stages Of Spear Phishing - Bait, Hook And Catch

With how prevalent phishing is these days, many businesses are starting to take notice of the variety of forms they come in. In this article we take a look at one of the most dangerous - spear phishing.

Spear phishing attacks begin with a bait


Spear phishing is far from shiny and new, nor is its approach to social engineering via electronic means. Regardless, many businesses still don't fully understand the simple, yet deadly, process of these targeted scams. In this blog, we will discuss the steps taken by a cyber criminal to succeed in a spear phishing attack.


"71% of targeted attacks involved the use of spear phishing emails"


Step 1: Penetrate (Bait)

The most effective attacks can come in the simplest of forms. By simply mimicking the normal day to day activities that occur in the victim's role within the business, the attacker hopes for an impulsive ill decision. A prime example of an impulsive decision made takes us back to 2013. The famous Nigerian Prince phishing email that fooled thousands and still does to this day. This style of email is notoriously common and yet so simple - it requires the victim to send money to the cyber criminal, and in return they will be “reimbursed” over time.

There has been a rapid increase in personalised attacks that are becoming extremely difficult to spot, especially for employees who lack security awareness. When employees don’t receive cyber security training they are more susceptible to open any form of phishing emails, even the most common types.

Step 2: Observe (Hook)

This is where the attacker will monitor the account and will keep an eye on the email traffic to learn about the organisation in depth. Whilst the attacker gets to know the organisation this helps the attack to be tailored to the organisation, making it as realistic as possible.Spear phishing is becoming increasingly common

Learning the traffic allows the hacker to determine who has access to what information, such as HR and financial records. This knowledge is then leveraged for the final step of the attack. Sometimes, cyber criminals will even set up forwarding rules so they don’t have to monitor the account like a hawk.

Cyber criminals can be very patient people. The more information they gather from an organisation, the more likely that the attack will be successful.  

One of the simplest things employees can do to protect themselves is with Multi-Factor Authentication. This is essential, as having a single password for an account is not enough as it makes it even easier for a criminal to gain access to it. If Multi-Factor Authentication is enabled the attacker needs to have the two or even three forms of authentication to gain full access. Multi-factor authentication can be used through many different methods such as SMS code, key fobs, phone calls or even a thumbprint. 

Free 2019 Information Security Awareness and GDPR Posters

Step 3: The Attack (Catch)

This is where the attacker gets creative. From all of the information they have on an organisation, they will use this to personalise a phishing email. But first, they have to decide what the goal of the phishing email is. There are numerous goal types of phishing emails. Some common ones are: identity theft, blackmail, stealing a database of customer credit card details or sometimes just for fun.

So, the victim has clicked on the link or opened the attachment - what happens now?

The best thing you can do is be prepared. The cyber criminal now knows you fell victim to their attack, and nothing is stopping them from fooling you again, right? Incorrect, if you follow a few procedures you and your business can stop it from happening again. 

Always report any phishing attempts you encounter 

The Defence:

Where to start? It’s quite simple really, the first thing you need to do is understand the threat. You need to acknowledge that there are too many motives out there waiting for you. Begin with asking yourself with what motivates someone to attack your business? Is it the information you possess, could it be beneficial to competitors or is it just very valuable? As a business owner or an executive you are already a target due to your position, there is a specific term for targeting executives, instead of spear phishing, it is termed ‘whaling’. Once the threat has been understood you can move onto the next step.

1# Your employees

Begin with educating your end users. This can be done with a security awareness training program, that has bite-size modules these will keep your employees more engaged as well as maintaining the information better. Another great way to educate your employee is to phish them again, run a simulated phishing campaign, it allows you to test your employees as well as gaining an insight into which employees fell for the phishing attack. You can run more than one phishing campaign to keep track if your employees are making progress in spotting a phishing email.

2# Authenticate

2FA/MFA is absolutely essential. The password is arguably the most popular and commonly used security measure available but it is also one of the most vulnerable security measures. Anyone who gets hold of your password can simply waltz into your account and take what they need. This is the reason for so many people and companies are adopting MFA. One of the many benefits of MFA is each factor compensates for the weakness of the other factors. It allows you to have an extra layer of security and will certainly protect your account from cyber criminals.


Two-factor or multi-factor authentication are essential security tools 


3# Technology

Make sure you keep your security software up to date, the updates contain important changes to improve performance as well as the security and stability of applications on your device. As well as updating, backups are a must. Data is the most important thing on your device, and backups help to protect and restore your data if something goes wrong. Email spam filters are also very effective at removing the general phishing attacks from your inbox.

Implementing all of these steps into your business will build the ‘security firewall’ your company needs to prevent being a victim of a phishing attack.


Phishing Awareness Kit