Spear-phishing is a targeted version of phishing.
The phishing message is directed to a specific person, in the hope that they will disclose information that allows an attacker to gain an initial foothold within an organisation.
Cybercriminals may use data that someone has posted online to add credibility to the message.
This may include information posted on a company web site, snippets of information that people disclose in social networks or things they publish in public forums.
For example, if the sales director of a company tweets about his holiday in Greece, or his business trip to Berlin, this can be referred to in an e-mail to make it look legitimate.
Similarly, an e-mail may be spoofed to look like it has come from a trusted colleague.
If, for example, it appears to be from a colleague in IT, it’s likely that an employee will respond to the e-mail.
The widespread use of social networks, and our tendency sometimes to over-share, has given cybercriminals more raw data for developing spear-phishing attacks.