While wide-net phishing email tactics are very common, they are not the only way attackers steal information. Sometimes, attacks are conducted on specific people within an organization who are in a position to buy things with company funds or to reveal privileged information. The use of these targeted emails is refered to as, "spear phishing".
Spear phishing emails take advantage of a few techniques to trick victims. These techniques have some common themes.
- Spear phishing emails may come from a spoofed or compromised email account. By imitating a supervisor or colleague, the attacker is attempting to boost their email's credibility which can mislead the recipient.
- Spear phishing emails are often carefully worded so that they do not include information that conflicts with information the recipient likely knows.
- There is always some sort of request associated with a spear phishing email. A good rule for protecting yourself from spear phishing is to think about the standard processes that you are expected to use when doing your job. If you are being asked to do something that you would not normally do over an email request, like buy gift cards or discuss a sensitive topic, then there is a good chance that the email is a spear phishing attack.
If you are unsure in any way, report it to firstname.lastname@example.org. Even if the email turns out to be legitimate, is better to report it then to fall victim to a spear phishing scam.