A spear phishing attack that is targeted towards a singular person or a group of people, a personalised attack.
Remember phishing? It’s easy to spot most of the time
You can easily find key points that expose a phishing attack:
Bad English… Sketchy links… Illegitimate email address… Not referencing the customer’s name… Reported as spam…
The list goes on.
Now imagine this:
You’re working at a high profile, secretive company that is extremely valuable. You use an RFID key card to access the secretive building. The secrets can NOT be leaked.
Recently, you meet and become great friends with someone named “Steve”, he’s told you he’s a chef and shares the same interests as you.
You begin to deeply trust, you’ve known him half a year. He’s around yours and forgot something from your car, asking for your keys. You give it to him with no thought.
He comes back with the forgotten item and everything seems okay.
In the next few days, your company calls you in for an investigation. A critical breach had happened due to access of your keycard, additionally, some of your family members and friends turn up at your door, others messaging you extremely furious that you owe them thousands, saying that you asked them to lend you large sums. You get blackmail messages and other things. Everything is spiraling out of control…
You know who caused it?
Steve.
HIs name isn’t Steve. He lied. This was a spear phished attack.
A spear phishing attack that is targeted towards a singular person or a group of people, a personalised attack.
He had cloned your RFID keycard, had learnt your phone password a few months ago after seeing over your shoulder, learnt your family and friends and those who trust you through many conversations. Found password hints to your social medias with your interests which allowed him to reset your password and now he’s unleashed everything.
This obviously is very extreme, but it doesn’t mean it can happen.
Spear phishing can be a lot worse than phishing. Especially if they’re playing the long game of gaining your trust. It still can be dangerous short term.
They may go after your family, do OSINT to find out all about you and others. They do physical spear phishing and find out your schedule, sneak into places, attempt to gather as much information, possible blackmail.
There is tons of things that the attacker can go after.
Training for this is extremely important.