Digital Fraud, Data Leakage

Spear Phishing: A Threat Hidden in Your Company’s Email

By Júlia P. on

Imagine receiving a message from a government agency, or from one of the services your company uses, in your professional email. It contains a link to a page that seems to be from the organization, asking you to change your password. Or perhaps you receive an email signed by the CEO of your company, with files to download. Both cases look legitimate and trustworthy, right? Wrong! 

Emails such as these can hide a directed scam that has become one of the phishing trends in 2019 aimed at companies. It’s called spear phishing. It’s a personalized attack, sent via email, that targets an organization or a specific individual. 

The goal of the invaders is to obtain access to confidential information or sensitive company data, or to install malware through a file download. It may be as simple as asking for your Windows or G Suite registration. With one click, the important data that your company protects so zealously may become exposed.

Spear phishing falls under the category of Advanced Persistent Threat (APT). These are extremely personalized cyberattacks aimed at infiltrating a company or organization’s internal network to obtain confidential information. Spear phishing is just a shortcut to get that information.

So, while ordinary phishing uses generic messages to attack a broad base of victims, spear phishing is directed specifically, and is therefore much more difficult to detect than ordinary phishing.


How is spear phishing done?

Using social engineering strategies, cybercriminals look for information to personalize the attack. By researching the targeted employees and the executive they will try to impersonate, the fraudsters manage to discover email addresses, responsibilities and other personal information. This information is often available on the victim’s social network or on the company’s website!

The fraudster can thus make the email appear to be from a trustworthy sender, such as the government or the company itself. According to Barracuda’s Spear Phishing: Top Threats and Trends report, the company brand name is used in 83% of spear phishing attacks. It often appears to be from someone in a position of authority, someone whom the target knows personally, or even a network administrator, which makes the request for confidential information seem reasonable. The writer of the email can address the victim by name or position, and discuss a subject related to the victim’s context or interest, which also increases credibility.

So the invader writes an email directed to an employee, requesting personal information, sending an access link or a malicious file. According to the TrendMicro report, companies or government organizations receive spear phishing attacks via attachments in 94% of cases. This is because people normally share files (like reports, documents and resumes) via email, since an Internet download is considered more risky. The file extensions most commonly used in these attacks are those generally used by companies: .RTF (38%), .XLS (15%), .TIF (13%), .RAR (11%) and .PDF (8%).


Once the employee has been hooked

Just one employee needs to fall for the spear phishing trick for the attack to damage the company. The invader may also impersonate that individual to gain access to other levels of confidential data, or even to generate another spear phishing attack in that employee’s name. 

Once the attacks have been successful and the desired information is stolen, it can be used for all sorts of purposes. Bank wires, identity fraud, revealing company secrets, or even competitive intelligence and price manipulation are a few of the possibilities.  


How can this be avoided?

The best way to prevent your company from being affected by spear phishing is through employee training and awareness. Simple tips, such as checking the sender’s email address, being wary of links and attached files, and always being suspicious of any requests for confidential or personal information, can prevent critical leaks. And, of course, not revealing the company’s sensitive information via email, unless the source is secure. 

But it’s important to remember that effective monitoring must be done at several levels. Axur uses a modern solution to detect phishing done in the name of your brand. Also, check out our solution for brand misuse and fraudulent brand use and find out everything about the use of your brand on the Internet.



Eduardo Schultze, Coordenador do CSIRT da Axur, formado em Segurança da Informação pela UNISINOS – Universidade do Vale do Rio dos Sinos. Trabalha desde 2010 com fraudes envolvendo o mercado brasileiro, principalmente Phishing e Malware


Júlia P.

Journalism student at UFRGS and an enthusiast of digital transformation in communications. Also a former Brand Protection Intern at Axur, where I have analyzed lots of frauds and risks which we see here in order to protect companies' image on the web.