07 July 2021
Dartboard with darts on target

75% of organisations around the world experienced a phishing attack in 2020 with another 35% experiencing a spear-phishing attack. We’ve already covered what phishing is in a previous blog, so what is spear phishing?


What is spear-phishing?
Spear-phishing is phishing but targeted. Where phishing relies on casting a wide net by sending a fraudulent email to multiple email addresses, spear-phishing uses information found on social profiles or anywhere else on the internet to craft their malicious email. However, the objective of both spear-phishing and phishing remains the same: getting the target to click on a malicious link.

The malicious link often takes you to a phishing website. Phishing websites are designed to convince you to enter any details an attacker can then use to get access to your files. The fake websites will often try to look like the legitimate site by using a similar domain name, so look for any typos in the URL. Google Safe Browsing has found that it has registered 2,145,013 phishing sites as of January 17 this year. This represents an increase of 21% on last year.


What information would a spear-phishing attack use?
A spear-phishing attack would use all the information that is readily available on the internet to improve how believable the email will look. An example would be using your LinkedIn profile to find out where you work, who you work with, and what their job titles are. The spear-phishing attacker could use this information to craft an email requesting an urgent invoice payment for work that you might believe could have been done for one of your coworkers. Downloading the attached invoice begins the process of malware being downloaded onto your device and grants the attacker the ability to monitor your keystrokes, passwords, and other information for them to use later.

Clearly, an important step in protecting yourself and your business from spear phishing attacks is to be careful of what information, personal or business, you put online. Digital Guardian has 6 tips to avoid spear-phishing attacks that will give you some things you can implement yourself and a couple of tips that might require some more expertise. 


Why does spear phishing matter for .au domains?
.au still remains well below the global average of domain abuse, but it pays to be observant as cybercrime is on the rise globally brought on by the COVID pandemic.

As many spear-phishing and phishing attacks use fake websites to steal information, you should be wary of domains in the links you receive in suspicious emails. However, in the .au domain space, this method is difficult for attackers to use due to the licensing rules to get a .au domain.

If you are a victim or suspect abuse of a .au domain name, contact us at abuse@afilias.com.au.