Modified 15 March 2017 by Ian Weatherhogg

Here at Google Apps Tips we have witnessed an increase in reports of an attack known as spearphishing.

To prevent becoming a victim of phishing, please read this rather big tip we have put together for you:

What is spearphishing?

Spearphishing is a development of phishing which targets individuals is an attempt to fool the recipient of an email that it has been sent from a known or trusted sender.


Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.


Spearphishing combines a couple of attack techniques

  • Social Engineering

By researching a company (departments, key staff & executives) an attacker can target specific individuals and roles such as the finance department.

  • Email Spoofing

By forging the headers of emails the attacker attempts to fool the recipient into believing that the email was actually sent by a known and trusted source (e.g. the Finance Director or MD).

Counter Measures

Vigilance, Training & Process People in positions of authority within organisations need to be vigilant and aware of threats and attacks.

Email is just one vector for such attacks alongside other communications channels including postal letters, FAXes and phone calls.

Here are a few things we suggest you consider:

  • Internal communications ensuring staff, especially those most exposed to the risk (e.g. executives and management, finance staff) are made aware of the threat and risks.
  • Training: Specialist training organisations offer courses to help educate staff about the threats and risks faced.
  • Internal company policies and workflows should also protect the company from losses due to an individual member of staff being compromised (e.g. dual sign-off).

Password Alert Chrome Extension (Chrome Web Store link)

The Password Alert Chrome Extension is provided by Google and can be added to a user’s Chrome Browser.

It warns and stops users if they visit a fake Google Sign-in web page.

Such pages are created by criminals to trick Google users into entering their login credentials (username/password) into a faked page where they are harvested and then can be used to gain unauthorised access to the user’s Google account.

2-Step Verification (Set up 2-Step Verification)

Check out our tip and see how 2-step verification can add an extra layer of security for your users.

Remember… The verification code can be generated by a number of methods, including SMS TXT, Authenticator App, FIDO keys (USB “key”).

Email Authentication

The email industry and standards bodies continually innovate in an attempt to secure against new threats.

The practice of Email Authentication has evolved to develop specific counter measures in reaction to the threat of Email Spoofing.

Businesses can utilise best practices and methods to protect themselves from attacks such as spearphishing by adopting Email Authentication comprising:

  • an open standard specifying a technical method to prevent sender address forgery
  • DKIM – DomainKeys Identified Mail (
  • DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication
  • DMARC – Domain-based Message Authentication, Reporting & Conformance (
  • builds on the widely deployed SPF and DKIM protocols, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email

Adopting Email Authentication

To adopt the Email Authentication methods requires changes to be made to the DNS (Domain Name Service) records for the domain(s) to be protected.

Adoption requires careful planning and execution as mistakes or omissions can lead to the disruption of email flow.

Google Links: