Fred goes spearfishing when he wants to catch that one particular fish. He picks up his spear and dives into the water and goes after that one fish for dinner. Similarly, a bad guy goes spear-phishing when they want to catch that one particular person.

Most phishing is spam.  It’s sent to as many people as possible in hopes of getting people to click on those links and get their information. It’s like what fishers do when they put nets down in the water and try for as many fish at once.

A net for fish (not phish)

The phishers (those guys sending out the emails) are after any kind of person, rich people, poor people, they aren’t going to be picky. They just want the login credentials so they can steal as much as they can.

Sometimes, though, there’s that one person the bad guy wants to go after. The head of a corporation, an Admiral, a General, someone with lots of power and access to information. Sending a wild ‘click on this link, give me your banking information!’ doesn’t get the bad guy access to that information the good guy has. It just gets them the banking information. So, they craft emails to send to these people and entice them to either click on a link in the email or download an attachment.

Once they click on the link or download the attachment, they’re infected with malware and then it can go to town. It can replicate itself, spread itself around, and generally be a nuisance. Like Ultron did.

The Ultron Threat

It wants to hang around as long as possible and steal as much information as it can. These are Advanced Persistent Threats, which isn’t a really exciting name, is it. I think we should go for the Ultron Threat, but they never asked me.

Protecting yourself from spear-phishing is similar to protecting yourself from phishing.  Don’t click on any links (even if they promise you your very own Iron Man!) and don’t download any attachments (even if they claim to be the code that Tony Stark uses to operate Iron Man).