Which of the following is an example of a spear phishing attack?
A. An attacker sends an email that appears to be from a bank to a large group of people asking the recipients to log in to a website and provide their phone numbers.
B. An attacker poses as an IT employee and sends an email to an accounting employee asking the accounting employee to log in to a bogus website and change his or her password.
C. An attacker calls an employee of a company and asks for the employee’s password.
D. An attacker digs through the trash of a company in an effort to obtain confidential information about the company.
Explanation:
An attacker posing as an IT employee and sending an email to an accounting employee asking the accounting employee to log in to a bogus website and change his or her password is an example of a spear phishing attack. A spear phishing attack is a phishing attack that targets a specific individual. Phishing is a social engineering technique in which an attacker uses a seemingly legitimate email message or a website in an attempt to dupe a user into submitting personal information, such as a Social Security number (SSN), account login information, or financial information. To mitigate the effects of a phishing attack, users should use email clients and web browsers that provide phishing filters as well as up-to-date antimalware programs. In addition, users should also be wary of any unsolicited email or web content that requests personal information.
Employees often list their personal information on social networking sites, such as Facebook and LinkedIn. Attackers can use the information posted on these social networking sites to gather information about company employees, potentially targeting those employees for a spear phishing attack. In a spear phishing attack, the attacker poses as a legitimate employee of the company, such as a member of the IT department or an executive in the company, and asks for confidential information via a targeted email or telephone call.
An attacker sending an email that appears to be from a bank to a large group of people asking the recipients to log in to a website and provide their phone numbers is not an example of a spear phishing attack. This is instead an example of a general phishing attack. Unlike a spear phishing attack, which is highly targeted, a general phishing attack involves sending email to a large group of people. The goals are similar, though; all phishing attacks typically attempt to obtain personal, confidential information.
An attacker calling an employee of a company and asking for the employee’s password is not an example of a spear phishing attack. This is an example of a human-based social engineering attack similar to a phishing attack, but using a phone instead of email messages. In such an attack, the attacker calls an employee of the company and attempts to obtain confidential information by posing as a legitimate user.
An attacker digging through the trash of a company in an effort to obtain confidential information about the company is not an example of a spear phishing attack. This is an example of a dumpster diving attack.
Reference: https://searchsecurity.techtarget.com/definition/spear-phishing