Help Net Security has an article arguing that spearphishing will replace regular phishing attacks very soon.  I strongly disagree, for the simple reason that these are two completely different mechanisms meant to achieve two completely separate goals.

The general idea of a phishing attack is to snare some number of people somewhere.  This is akin to fishing with a large net:  you don’t care so much about what you catch, but rather that you catch something.  Phishing attacks are meant to get some non-zero percentage of people to respond, typically as a means of taking over computers or probing for goodies (bank accounts, credit cards, etc.).  If you fail 99% of the time, you’re still fine, because you make up for failure through quantity.

Spearphishing, on the other hand, is much more targeted.  In this scenario, you know your targets and do extensive research on them.  The goal here is to attack a particular person or firm.  If you fail to achieve your goal here 99% of the time, you aren’t so fine:  this is much closer to a binary success-failure rather than the broad-based “make up for it in quantity” approach.

For this reason, I do not see spearphishing replacing regular phishing attacks.  Instead, I see them as complementary tactics that attackers will use depending upon their goals.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s