Whereas phishing is now a threat that is well known by the Internet ecosystem and the security industry, a more advanced and pernicious threat has appeared recently, and this threat is known as spear phishing.
Spear phishing has the following features:                Spear phishing targets enterprises, and especially small and medium-sized enterprises. The victim targeted is someone who has access to sensitive information, such as a C-level executive or an accountant.        The attack is prepared meticulously. The attacker performs a thorough study of the enterprise and the victim, drawing from sources of information such as social media (LinkedIn, Facebook, Twitter . . . ), corporate website, blogs and corporate media. Such sources are often a treasure trove of valuable information. The attacker will use this information to build an attack that will make sense and appear legitimate to the victim.        The email will be send to the victim by an allegedly trusted person. In the case of spear phishing, there is always impersonation of a trusted person. A well-known kind of impersonation by email is called email spoofing.        
The payload of the spear phishing attack can be one of the following:                A malicious file attached; or        A malicious Uniform Resource Locator (url).        
The text itself, designed to lead the victim to carry out an action (wire transfer, sending of confidential documents, etc.)
The spear phishing attack is unique and is tailored specifically to the targeted enterprise and victim. A known example of spear phishing is called CEO fraud. The CEO fraud is a business email scam in which the attacker spoofs an email from the CEO of a company and tricks another person of this company—typically the accountant—to perform an action that will benefit the fraudsters, such as wiring funds or disclosing sensitive information. The CEO fraud is a typical example of a spear phishing attack where the attack is prepared meticulously so that the victim believes that the email originates from the CEO himself. For example, in the case of a wire transfer, the attacker will provide the motivation for the wire transfer. Here is an example:                From: John Miller <john.miller@company.com>        To: Jessica Lee <jessica.lee@company.com>        Subject: Urgent matter        Jessica,        I just met one of our provider at the RSA conference. They have a pending invoice from last year that got lost. I have attached the invoice. Can you initiate the wire transfer asap? It is very important.        Thx        John        Sent from my iPhone        
In this example, the attacker knows that John is the CEO and Jessica the accountant. He also knows the email addresses of both. It is quite trivial for the attacker to find this information, as the company website and social media websites such as LinkedIn provide much, if not all, of the needed information. Furthermore, the attacker knows that John Miller is at the RSA conference because this information was posted on the company Twitter account.
As previously stated, spear phishing attack relies on impersonation. In contrast, email spoofing is the creation of email messages with a forged sender address in the From header of the email. As surprising as it may sound, core email protocols do not provide a mechanism for authentication and thus allow the creation of email messages with a forged sender address.
To address this critical issue, the software industry has developed technologies such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) or more recently Domain-based Message Authentication, Reporting and Conformance (DMARC). However, even if the adoption of these technologies is increasing, a vast portion of the email traffic is still not protected. The main reason for the non-adoption of these technologies is due to the large amount of work that is required to properly configure SPF, DKIM and/or DMARC, which typically depends of the complexity of the email provider infrastructure. Moreover, for even modestly complex environments, the cost of deploying these technologies may be considered to be prohibitive for the email provider. For example, Google, AOL and Yahoo! have successfully deployed these technologies. However, other major email providers have not and may never do so. Consequently, an important number of end users remain vulnerable to email spoofing.