2011 – The year of spear phishing And spear phishing

Share Now

spearphish vs spearphish
spear phish vs. spear phish

An odd title for a blog post but something that has been on my mind for a while now. We get a fair amount media requests for comments or perspective on phishing stories.  This is a good thing. It’s nice to have recognition in your field. Of course 2011 was no shortage of phishing related news. (What’s up RSA, I’m looking at you. I’ve noticed you frequent our website a lot. How about a demo. Couldn’t hurt?)

In 2011, the term “spear-phishing” shifted gears a bit. Once reserved to define highly targeted and personalized  email attacks against organizations, the taxonomy of phishing is changing again.  The term spear-phishing being applied to consumer/fraud/ based phishing.

First, some of the defacto high profile spear-phishing events in 2011:

But something new has been brewing. Massive data breaches of big consumer organizations with millions of users became more common place. It first started with the Epsilon compromise, then we had Sony, and now the Steam breach putting 35 million gamers at risk.

As the trade journalists made the rounds, the security experts commenting talked about how these data breaches will lead to more spear-phishing incidents of consumers. What they mean by that is instead of the consumer Bob receiving a generic phish:

“Dear Citibank Member,
There is something wrong with your account. Please read the attached statement to verify charges.”

Attackers can now cobble a bit of personal information into the phishing email to make the bait look more believable: (See Pretexting: Wikipedia )

“Dear Bob Dobolina,
I ran into a mutual friend of ours in Charleston SC,. He said you were into video games. Check this out …..”

Ok, I’ll tip my hat to the use of some personalized information somewhat resembling what we’ve been calling a spear phish.  But this is in no way resembles the effort and sophistication used by advanced threats against our most trusted institutions.  They are facing attackers armed with department names, locations, org charts, contract names,  names of sub-contractors, and whatever else they can scrape together to increase the chances of a successful mission.

I chose the word mission for a reason. The  first of its kind DARPA meeting last week a stone’s throw away from the PhishMe offices started to cast light in not-so-vague terms about what organizations have been dealing with for quite some time.

Spear Phishing v.s Spear Phishing. There is a difference.


Aaron Higbee



p.s. Don’t even get me started on whaling.


Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on wpml.org as a development site.