When It Gets Personal

Understanding Targeted Attacks

What is a Targeted Attack?

A regular scam is a net. The attacker throws it in the ocean and hopes to catch *any* fish. A targeted attack is a harpoon. The attacker is aiming specifically for you, or the company you work for.

This isn't a blast of 10 million emails. This is one, single, perfectly crafted email. The attacker has done their homework. They've scoured your social media, your company website, and your LinkedIn profile.

They know your name, your job title, who you report to, and maybe even what projects you're working on. This information makes their attack devastatingly effective.

Spear Phishing: The Main Weapon

This is the most common form of targeted attack. It's a phishing email, but upgraded from a cheap lure to a high-end, custom-built fly.

  • The "IT Department" email: "Hi Boris, we're migrating our email servers this weekend. Please log in to the new portal (link) before 5 PM to ensure you don't lose your data." The link goes to a perfect clone of your company's login page.
  • The "Boss" email: An email from "your boss" (with their name spoofed) sent at 4:50 PM on a Friday: "Hey, stuck in a meeting, can you do me a huge favor and buy ten $100 Amazon gift cards for a client? Just scratch off the back and email me the codes. I'll get finance to reimburse you on Monday."
  • The "Recruiter" email: A message on LinkedIn from a "recruiter" at a major tech firm, impressed with your premium setup. "We have the perfect role for you. Please see the attached Job_Description.zip." That .zip file is, of course, malware.

Your Defense: Professional Paranoia

When attacks are this personal, your only defense is to be professionally paranoid. Your gigabit connection and secure DNS are great, but they can't stop you from being manipulated.

How to Defeat a Targeted Attack:
  • Verify Through a Second Channel: Your boss emails you for gift cards? It's 100% a scam. But if you're ever unsure about *any* urgent financial request, do not reply to the email. Call them or send them a text on their *known* phone number to verify.
  • Scrutinize the "From" Address: The name might say "Your Boss," but check the actual email address. Is it [email protected] or [email protected]? That tiny difference is the whole con.
  • Be Wary of "Digital Breadcrumbs": Be mindful of what you post online. The more you share about your job, your colleagues, and your projects, the more ammunition you give to an attacker to build a believable lure.
  • Use Multi-Factor Authentication (MFA): This is your single best defense. Even if an attacker steals your password, they can't log in without the second factor (the code from your phone). Enable it. Everywhere.

Why Bother Targeting You?

It's easy to think, "Why me? I'm not a CEO." Attackers target people for two main reasons:

1. You're a "Beachhead"

You might not have the "keys to the kingdom," but you're an employee *inside the castle walls*. If an attacker can get malware on your premium MacBook Pro, they can use *your* machine as a launchpad to attack the company's servers. Your high-end IT security savvy makes you a high-value target—compromising you is a "prize."

2. You Have Your Own High-Value Assets

You own premium gadgets. You have a bank account. You have crypto wallets. You have online accounts that are valuable. An attacker who successfully spears you can deploy ransomware or spyware and aim for a five-figure payday just from you alone.

The Takeaway

The more public your profile and the more high-end your setup, the bigger the target on your back. The attacker's logic is simple: a person with a $3,000 laptop probably has more to lose than someone with a $300 one. Stay vigilant.

← Back to Learning Centre