How to defeat Spear Phishing email attacks

Email threats are constantly evolving as cyber-criminals find new ways to avoid detection. We take a look at what Spear Phishing is and how not to get caught out.

What is Spear Phishing?

Personalised form of attack. Attackers research their targets and craft carefully designed emails that often impersonate a trusted colleague, website or business. The idea of Spear Phishing is to try and steal sensitive information which is then used to commit fraud, identity theft or other crimes. Most Spear Phishing emails usually evade email security gateways and spam filters as emails are usually sent from previously compromised accounts or verified domains.

Today, phishing is the top social attack on businesses, responsible for more than 90 percent of security breaches.

Brand Impersonation

83% of Spear Phishing attacks involve brand impersonation. Attackers aim to impersonate a trusted company and get recipients to give up account credentials or click on malicious links. Attackers use domain spoofing or lookalike domains to convince users that they are on a legitimate website. Employees are usually the victim of these attacks as the email appears to come from a trusted business application that they work with everyday.

Impersonated Microsoft Office 365 Portal


Attackers leverage stolen usernames and passwords to send threatening emails and trick their victims into giving them money. The attacker will claim to have a compromising video, images or other content and will threaten to share it with all of their email contacts unless they pay the ransom.

Common email subject lines to look out for:

  • You are my victim

  • Better listen to me

  • I’ve been watching you

  • Don’t be embarrassed

Blackmail Extortion


A real problem for businesses of any size, attackers attempt to impersonate an employee within the organisation, usually the CEO or a director.
The aim of these attacks are usually to get finance employees to perform a payment with urgency. Once payment is made it’s usually impossible to get any of it back. Attackers will use social engineering tactics and compromised accounts to trick their victims. These attacks are highly sophisticated and attackers will spend time researching an organisation and its employees before launching the attack.

Example of BEC attack, with Vade Secure safety banner.


  • Never trust an email based simply on the sender. Cyber-criminals have many methods to disguise emails and impersonate.

  • Don’t be fooled by the subject line, emails usually contain enticing or threatening language.

  • Be cautious, if you think the email looks odd or the content is out of character, stop and check with the sender!

  • Links are not always what they seem, scroll over the link and be sure it is a URL you recognise. If it’s not, check the URL on

  • Don’t open unknown attachments, if you’re not expecting it, don’t open it.

Secure your email now

Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Related Posts

5 Steps to boost your Backup and Security Picture this… you’re about to leave the house ready for your holiday and you check that all of the doors and windows are locked,