Can you believe that phishing, the scam that tricks users into giving away sensitive information like their credit card numbers and bank login credentials, is still with us after more than twenty years? Phishing is still here because criminals keep devising new ways to make it work. However, new phishing methods take more effort, but yield only modest returns. To increase their returns, some criminals are dropping phishing schemes that attack large masses of random users and are replacing them with narrowly focused attacks targeting a few high-value employees at enterprises. These attacks are called “spear phishing.”

Spear phishing uses social engineering and deception to steal credentials and other valuable information from a specific group of users, a company, or even one person. To conduct a successful spear phishing attack, a perpetrator gathers detailed information about the target. For example, an attacker might research a target company’s vendors such as the accounting firm, or the company’s business partners. The attacker then identifies specific individuals and their email addresses in the target company and sends them spoofed emails that appear to be from a known vendor or partner. The email either tells the user to open an attachment or sends the user to a counterfeit website. Increased social engineering results in a much higher success rate. In addition, businesses typically have deeper pockets than an average user, so the typical “take” from each spear phishing scam is much higher. To learn more about phishing attacks against businesses, read our 2016 Security Report.

Some criminals have taken spear phishing up a notch by launching “whaling” attacks. Whaling attacks usually target C-level executives – the “biggest fish.” A whaling attack might send a spoofed email masquerading as a message from the CEO to the CFO. The email tells the CFO to transfer money to a specific bank account. By the time the truth comes out, the money is gone. To erase any traces, some attackers use a mule account for only one attack. According to the FBI, over the last two-and-a-half years, whaling scams have bilked businesses out of $2.3 billion.

As long as attackers keep making money, they will develop new ways to deceive users. The best ways for organizations to protect themselves is to give users ongoing awareness training about phishing and to use advanced threat prevention technologies that proactively block phishing traffic from entering the network. Learn more about today’s evolving threat landscape by downloading the Check Point Security Report 2016.