skip to content

What is spear phishing?

Most will have heard of “phishing”: a (mostly) fraudulent e-mail which aims to get the user to disclose user names and passwords. This kind of mail is sent to a lot of people without any regard for the recipients. Phishing is an old technique, but still a mayor concern in IT security because it works surprisingly well. Many just skim the fraudulent mail’s content, are impressed by the wording (“ACT NOW OR YOU WILL BE PROSECUTED”) and react in the way the phisherman intended by clicking the link and entering their credentials on the phishing page.

But, as every successful scam, this was developed into something even more dangerous: Spear Phishing. It’s just like phishing, but with personalised mails to hand-selected individuals. An example: a professor receives an e-mail from a real or fictional student asking her to get his thesis fact-checked. As soon as the professor opens the attached file, it installs targeted malware on her computer skimming credentials. A commented list of examples can be found here.


Even with contemporary spam- and malware filters in place and millions of users unaware of their diligent and successful work, security is never one hundred percent. So, to avoid getting spear phished, please:

  • Look closely. What exactly is the sender’s address? And remember: even that can be faked. Do you know the person? If so, and it seems fishy, ask!
  • Be alert. Is the content of the mail consistent with the person’s usual style of communication? Does it deviate, be it in style or processually? If so, ask!
  • Always remember that spear phishing is a personalised attack! The phisherman knows your field of expertise, your research and the names of your staff!
  • If there is any doubt about a mail attachment, ask, don’t click!
  • If you already did click (or if you’re unsure if you should), don’t hesitate to contact the RRZK helpdesk.

If you have any questions or problems, please contact the RRZK-Helpdesk