Spear phishing is one of the top cybersecurity threats if not the top cybersecurity threat. Chapter 14 is going to cover different types of spear phishing and discuss how to specifically defend against it.

Background

Social engineering is involved in 70% to 90% of successful compromises. It is the number one way that hackers and malware successfully attack devices and networks. No other initial cyberattack root cause comes close (exploiting unpatched software and firmware are a distant second, being involved in about 20% to 40% of attacks).

A particular type of social engineering is responsible for more successful compromises than any other type of attack: spear phishing. As previously covered in Chapter 2, “Phishing Terminology and Examples,” spear phishing is defined as focused, targeted phishing that attempts to exploit a specific person, position, team, organization, or group, often leveraging previously learned information related to the target. Spear phishers often use the information they find on publicly available websites, on social media, or private websites or use confidential information they have previously learned from using other exploits. General phishing rarely has or uses confidential information on the intended targeted victims, whereas, spearphishing often does.

In May 2023, Barracuda Networks released a report (https://assets.barracuda.com/assets/docs/dms/2023-spear-phishing-trends.pdf) revealing a lot of relevant statistics ...