<aside> 💡 91% of breaches result from spear phishing emails (source)
The majority of our phishing attacks begin with spoofing or impersonation, where an attacker sends and email pretending to be someone else. Sometimes these are sloppy, other times they are incredibly professional and polished. People fall for both the sloppy ones and the polished ones. Common examples include:
Most people still think of phishing emails as really clunky and poorly designed emails sent to large swaths of people. However, what we see the most are targeted phishing campaigns where the attackers know something about our organization. This is referred to as spear phishing. In our case, we frequently have attackers who scrape our webpage to get a feel for organizational structure, and will send phishing emails from an administrator to a teacher, parent to teacher, or colleague to colleague, tailoring the style of the message to the relationship between sender and receiver.