1. Support
  2. Glossary
  3. Phishing vs Spear Phishing

Phishing vs Spear Phishing

Phishing vs Spear Phishing

Phishing and spear phishing are very common forms of email attack designed to you into performing a specific action — typically clicking on a malicious link or attachment. The difference between them is primarily a matter of targeting.

  • Phishing emails are sent to very large numbers of recipients, more or less at random, with the expectation that only a small percentage will respond. An apparently official email from, say, a well-known delivery company might arrive, saying that “Your package has been delayed, click here for details.” Click the link and malware might be downloaded onto your device, or you might go to a fake website where you’re asked to enter your name, address, and social-security number. That information would then be sold on the black market or used for fraud or identity theft.
  • Spear phishing emails are carefully designed to get a single recipient to respond. Criminals select an individual target within an organization, using social media and other public information — and craft a fake email tailored for that person. For example, share online that you will be traveling to Chicago soon, and you might get an email from a colleague (apparently), saying “Hey, while you’re in Chicago you’ve got to eat at Joe’s Grill, check out their menu.” Click the link, and while you’re studying the menu, malware is inserted into your computer. Another version might apparently come from your CEO, who’s travelling abroad and says his phone and wallet and briefcase have been stolen, can you wire five thousand dollars to this number right away?

See which threats are hiding in your inbox today.

Our free Email Threat Scan has helped more than 12,000
organizations discover advanced email attacks.

What You Can Do

It’s important to train users to spot potential spear-phishing emails and delete them. To err on the side of caution and confirm the authenticity of any unexpected email by contacting the apparent sender.

But the truth is that even a well-trained, observant user will have moments of distraction, and as social media use explodes, it becomes ever easier to craft a highly convincing spear-phishing email. It’s critical to complement user training with technical solutions that prevent phishing and spear-phishing emails from ever arriving in your users’ inboxes.

Barracuda Email Protection is a comprehensive, easy-to-use email security solution that delivers gateway defense, API-based impersonation and phishing protection, incident response, data protection, compliance and user awareness training. Its capabilities can prevent spear phishing attacks:

  • Impersonation Protection  protects against business email compromise, account takeover, spear phishing, and other cyber fraud. It combines artificial intelligence and deep integration with Microsoft Office 365 into a comprehensive cloud-based solution.

    Impersonation Protection’s unique API-based architecture lets the AI engine study historical email and learn users’ unique communication patterns. It blocks phishing attacks that harvest credentials and lead to account takeover, and enables real-time remediation.

  • Security Awareness Training is an email security awareness and phishing simulation solution designed to protect your organization against targeted phishing attacks. Security Awareness Training trains employees to understand the latest social engineering phishing techniques, recognize subtle phishing clues, and prevent email fraud, data loss, and brand damage. Security Awareness Training transforms employees from a potential email security risk to a powerful line of defense against damaging phishing attacks.

  • Incident Response automates incident response and provides remediation options to address issues faster and more efficiently. Admins can send alerts to impacted users and quarantine malicious email directly from their inboxes with a couple of clicks. Discovery and threat insights provided by the Incident Response platform help to identify anomalies in delivered email, providing more proactive ways to detect email threats.