Spear phishing differs from general phishing attacks in that spear phishing
| A. Contains generic information. | ||
| B. Generates average returns. | ||
| C. Includes numerous recipients. | ||
| D. Requires background research. |
Social engineering attacks (eg, phishing, spear phishing) exploit a user's trust by tricking the user into sharing sensitive data or performing specific actions. These attacks may originate with spam emails, text messages (ie, smishing), or phone calls (ie, vishing). The attacker sends an authentic-looking urgent message (eg, "your account is compromised") instructing the victim to take action. Awareness training and spam reporting are effective preventive controls against social engineering attacks.
Spear phishing is an attack that targets a specific individual. Unlike unsophisticated phishing attacks, spear phishing requires the attacker to research potential targets to gather credible information. This information, which may come from publicly available online sources, is used by the attacker to disguise themselves as a friend, colleague, vendor, or company department (eg, help desk). Whaling is a form of spear phishing that targets high-ranking individuals within an organization.
(Choices A, B, and C) Phishing attacks are sent to a large number of recipients and contain generic information, generating low-to-average returns for the attacker. The term phishing sounds like "fishing," meaning to cast a wide net and see what can be caught. Spear phishing is targeted and well researched in the hope of yielding higher returns (eg, confidential or private information). This is another fishing metaphor, here meaning to pursue individual prey.
Things to remember:
Spear phishing is a social engineering attack that targets a specific individual. Unlike unsophisticated phishing attacks, spear phishing requires the attackers to research potential targets to gather credible information to disguise themselves as a legitimate contact.
