How to
Ryan Harnedy
Apr 2016

5 Ways to Keep Your Users Safe from Spear Phishing

Photo by Source


A more highly-targeted variant of phishing, “spear phishing” is a technique used by cybercriminals in which they send an email that appears to be from a friend or colleague that either encourages recipients to download malicious attachments, click on malicious links, or send sensitive personal or professional information back to the sender.

A report by the Ponemon Institute has estimated that the cost of a successful phishing attack is roughly $300,000. That’s nearly a third of a million dollars lost with just one errant employee click.

When you consider that cybercriminals have been known to make off with employee W-2 information, critical banking information, and other sensitive financial documents, the importance of teaching your users how to take precautions and avoid falling victim to phishing attacks becomes clear.

How Spear Phishing Works

Spear phishing emails go well above and beyond the typical spam message. Using information they uncover about their targets online, they personalize their emails and make them appear as convincing as possible. This can include information pulled from victims’ social media accounts, or from a simple Google search.

Unfortunately, once someone takes the bait and clicks on a link in the phishing email their computer can quickly become infected with malware that can steal the user’s critical information, wreck their system, or encrypt their hard drive until your company pays an outrageous ransom to the people holding the data hostage.

5 Tips for Keeping Users Safe from Spear Phishing

Given the dangers of opening a spear phishing email it’s important to keep your users informed and vigilant. Here are some tips and best practices to pass along that can help protect them from spear phishing:

  1. Check twice, click once: Remind your users to stop before they click on any links in an email and hover over the hyperlink to see the destination URL first. Spear phishers will often hide their URLs in email text with things like “just click here to confirm” or “we just need some more information, please fill out this form” in order to get someone to click without thinking about it. Hovering over the linked-text will show you the URL that the link is pointing to. If it’s not familiar, don’t click.
  2. Not sure about an email? Check with the sender: A favorite tactic of spear phishers is to find a list of executives at a company and send emails impersonating those executives to get employees to reveal sensitive information. Remind your users that if they get an email with any request that seems out of the ordinary — no matter who it is from — they should check with the sender to confirm it is legit. If that person says they didn’t send an email then the issue should be reported to IT immediately.
  3. Never send confidential information via email: Very often, spear phishers will email employees and ask for confidential information such as users’ passwords, W-2s, or corporate banking information. Sending this information over email is never a good idea.  Make sure your users know to alert you if anyone makes these types of requests as that is an indication your company may be the target of phishing attacks.
  4. Avoid posting too much personal information online: A key part of a spear phisher’s strategy is using the personal information they find out out about their potential targets online. Remind your users that posting too much personal information publicly can help spear phishers successfully breach your company. Encourage your users to be especially careful to avoid posting their work phone numbers online. Many spear phishers will try calling and pretending to be IT staff or admins to assure users that they should send them the information they requested.
  5. Use a behavioral-based endpoint protection: While there are a lot of things you can do to help keep your users safe online no strategy, tool, or behavior is going to be effective 100% of the time. Sooner or later, someone will click on something that will open you up to a breach. Using an endpoint protection tool that is behavioral-based will help ensure that, if something does get through, youwill be able to catch and stop the malware infection before it does any damage.

Given the potential profits that cybercriminals can gain from spear phishing, it seems only likely it will become a larger problem. However, with the right tools, training, and strategy you can keep your users and your company safe.

Ready to get started? Download our Phishing Field Guide by clicking on the "Get My Guide" link below and learn what you can do to help protect yourself.

Photo by Parker Gibbs

Ryan Harnedy

Ryan Harnedy

Ryan writes about how to make cybersecurity make sense to end users and keep employees safe from ransomware, malware, and phishing attacks. He enjoys decoding buzzwords and sharing security tips that users might actually follow.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.