
Bringing clarity to chaos: Sounil Yu on the Cyber Defence Matrix
Discover how Sounil Yu’s Cyber Defense Matrix simplifies cybersecurity – helping teams map defenses, find gaps, and make smarter decisions.
Read MoreSpear phishing is a form of phishing attack. But unlike most phishing emails that go out to hundreds or thousands of potential targets at the same time, spear phishing is highly targeted – leveraging very specific information about individuals or organisations to personalise the attack and make it more effective.
The personalised nature of spear phishing means that the details vary between attacks. But typically, it follows a step-by-step process that builds a bank of information and uses that to craft a targeted attack.
Whether they’re targeting an individual, or targeting an organisation via an individual employee, spear phishing attacks rely heavily on people who freely share personal and work information on social media platforms.
Attackers can access publicly available data that includes details about targets’ relationships, job roles, personal interests, and day-to-day activities. They also create fake profiles, populating them with posts and images so they look genuine, and using those profiles to build trust with the target.
And it’s that potential for building trust that really makes social media such a rich environment for spear phishing to thrive. It’s so effective that committed threat actors can launch long-term attacks; Evalda Rimasauskas for example, who used the spear phishing strategy to gain access to tech company Quanta from 2013 to 2015.
One of the major challenges organisations face in mitigating the risks of spear phishing on social media is that they have to respect employees’ freedom to express themselves online, and balance that with the security of the organisation.
Company social media policies can restrict the sharing of business information and encourage employees to separate their personal and work profiles but more awareness is needed to understand the signs and risks of spear phishing.
Training to support individuals in understanding and identifying spear phishing tactics is essential. Some organisations run simulated spear phishing exercises on social media to test and improve employees’ ability to detect and report suspicious behaviour. Education around how to verify the authenticity of social media accounts and communications before engaging with them can help minimise the risk of employees sharing information with malicious actors.
Ultimately, organisations have to tread the line between effective security and overstepping into employees’ personal lives. But as spear phishing continues to become more prevalent, it’s a necessary boundary to explore.
Discover the latest research into social engineering cybersecurity attacks at Black Hat MEA 2024.
Join the newsletter to receive the latest updates in your inbox.
Discover how Sounil Yu’s Cyber Defense Matrix simplifies cybersecurity – helping teams map defenses, find gaps, and make smarter decisions.
Read MoreSharpen your cybersecurity skills with world-class, hands-on trainings at Black Hat MEA 2025 in Riyadh. Pre-register now to secure your seat.
Read MoreBreach costs may be falling, but 90% of cyber leaders say their jobs are getting harder. A new Ponemon report reveals why securing mission-critical operations remains so challenging.
Read More