Get The Guide

Your Complete Guide To Employee Phishing Scams

Learn the most common types of employee phishing attacks, their main targets, and how you can safeguard your users.

Get The Guide

Emma Woods

The Three Stages Of Spear Phishing | Bait, Hook And Catch

With phishing being annoyingly prevalent these days, many businesses are starting to take notice of the variety of forms they come in.hook in blue ocean


This is especially the case for spear phishing, but how does this attack actually work?

Spear phishing is far from shiny and new, and nor is it's approach to social engineering via electronic means, but many businesses still don't fully understand the simple, yet deadly, process of these targeted scams. In this blog, we will discuss the steps taken by a cyber criminal to succeed in a spear phishing attack.



"71% of targeted attacks involved the use of spear phishing emails"



Step 1: Penetrate (Bait)

The most effective attacks can come in the simplest of forms. By simply mimicking the normal day to day activities that occur in the victim's role within the business, the attacker hopes for an impulsive ill decision. A prime example of an impulsive decision made takes us back to 2013. The famous Nigerian Prince phishing email that fooled thousands and still does to this day. This style of email is notoriously common and yet so simple, it requires the victim to send money to the cyber criminal and in return, they will be “reimbursed” over time.

There has been a rapid increase in personalised attacks that are becoming extremely difficult to spot, especially for employees who lack security awareness. When employees don’t receive cyber security training they are more susceptible to open any form of phishing emails, even the most common types.



Step 2: Observe (Hook)

This is where the attacker will monitor the account and will keep an eye on the email traffic to learn about the organisation in depth. Whilst the attacker gets to know the organisation this helps the attack to be tailored to the organisation, making it as realistic as possible.close up of grey chain and rusty anchor


Learning the traffic allows the hacker to determine who has access to what information, such as HR and financial records. This knowledge is then leveraged for the final step of the attack. Sometimes, cyber criminals will even set up forwarding rules so they don’t have to monitor the account like a hawk.

Cyber criminals can be very patient people. The more information they gather from an organisation, the more likely that the attack will be successful.


One of the simplest things employees can do to protect themselves is with Multi-Factor Authentication. This is essential, having a single password for an account is not enough as it makes it even easier for a criminal to gain access to it. If Multi-Factor Authentication was enabled as the attacker would need to have the two or even three forms of authentication to gain full access. Multi-factor authentication can institute many different methods such as SMS code, key fobs, phone calls or even a thumbprint.


Free 2019 Information Security Awareness and GDPR Posters



Step 3: The Attack (Catch)

This is where the attacker gets creative. From all of the information they have on an organisation, they will use this to personalise a phishing email. But first, they have to decide what the goal of the phishing email is. There are numerous goal types of phishing emails. Some common ones are: identity theft, blackmail, to steal a database of customer credit card details or sometimes just for fun.

So, the victim has clicked on the link or opened the attachment - what happens now?

The best thing you can do is be prepared. The cyber criminal now knows you fell victim to their attack, and nothing is stopping them from fooling you again, right? Incorrect, if you follow a few procedures you and your business can stop it from happening again.



black and white image of a masked man using a laptop 


The Defence:

Where to start? It’s quite simple really, the first thing you need to do is understand the threat. You need to acknowledge that there are too many motives out there and they are armed and waiting for you. Begin with asking yourself with what motivates someone to attack your business? Is it the information you possess, could it be beneficial to competitors or is it just very valuable? As a business owner or an executive you are already a target due to your position, there is a specific term for targeting executives, instead of spear phishing, it is termed ‘whaling’. Once the threat has been understood you can move onto the next step.



1# Your employees

Simply start by educating your end users, this can be done with a security awareness training program, that has bite-size modules these will keep your employees more engaged as well as maintaining the information better. Another great way to educate your employee is to phish them again, run a simulated phishing campaign, it allows you to test your employees as well as gaining an insight into which employees fell for the phishing attack. You can run more than one phishing campaign to keep track if your employees are making progress in spotting a phishing email.



2# Authenticate

2FA/MFA is absolutely essential. The password is arguably the most popular and commonly used security measure available but it is also one of the most vulnerable security measures. Anyone who gets hold of your password can simply waltz into your account and take what they need. This is the reason for so many people, and companies adopting MFA. One of the many benefits of MFA is each factor compensates for the weakness of the other factors. It allows you to have an extra layer of security and will certainly protect your account from cyber criminals.


close up of a black and white keyboard 


3# Technology

Make sure you keep your security software up to date, the updates contain important changes to improve performance as well as the security and stability of applications on your device. As well as updating, backups are a must. Data is the most important of your device, it can be corrupted, backups help to protect and restore your data when something goes wrong. Email spam filters are also very effective at removing the general phishing attacks from your inbox there so simple to set up and free.

Implementing all of these steps into your business will build a ‘security firewall’ your company needs to prevent being a victim of a phishing attack.



Phishing Awareness Kit