In many of the cases where security gets compromised at a company, the culprit is often poor user education and ineffective security measures. Frequently, the security breach could have been avoided if a worker had known enough not to open an obvious phishing or malware-loaded email, or if the company had enacted even basic filters and network policies to prevent the bad stuff from ever getting in.
But for one growing security concern, basic security systems and good user awareness may not be enough. In some of the recent cases of spear phishing, even trained security personnel were tricked into surrendering personal data or infecting systems with malware.
So what is spear phishing? Well, in this case, the name that tech pundits have given it actually helps a lot in describing the problem.
Standard phishing is a lot like sitting in a boat with a line drifting in the water. The bad guy isn't exerting too much effort; he's just sending out a broadly structured fake bank or service email in the hopes that a few people will be dumb enough to take a bite, get reeled in and surrender personal data or install malware.
But real-world spear fishing takes a lot more effort: The person needs to know how to swim, maybe even scuba or at least snorkel. They have to be skilled with the spear gun, and they have to target specific fish to catch. Similarly, spear phishing bad guys need to take the time to investigate the company and the individuals they are targeting in order to craft a message that will be seen as legitimate. The spear phishing message could be created to look like real company web applications, to come from real people in the company, and even use the same jargon and logos as company communications.
In this case, the spear phishing involves a lot more work but also has much greater reward. And the bad guys are certainly taking advantage of spear phishing. In a recent Cisco security report, it was shown that while the amount of broadly based phishing attacks were dropping, there was an increased incidence of targeted attacks.