Here's your crash course in spear phishing.

It's a targeted attack at a specific person, or entity. 1/9

Threat actors engage in spear phishing in order to gain a form of control over a system. Sometimes that means operational capability, sometimes it just means observational capability. 2/9

Spearphishing attacks happen all the time. Usually it's through an email, but it can be sophisticated, like a thumb drive curiously placed by your car, or an MMS message. The point is to get you to open a "file" and trigger a payload.

You could think of it as a Trojan horse 3/9

Targets are picked through social engineering. Let's say I want to take over a power plant. Find the guy who works the night shift, and get all public data (name, address, parents, kids, etc.) 4/9

After you find all their public stuff, you move on to all the semi-private stuff. Do they post on social media? What are their fav. movies? Music? Habits? Hobbies? Special skills? 5/9

If it's a hardcore financial attack, you COULD start looking on databases to see if they've been pwned before. Were they on Ashley Madison? Were they busted via Target? Equifax? Yahoo? Whatever financial data you can get, add that to your spreadsheet of pwnage. 6/9

After you've built a fairly comprehensive profile of the person, you start looking for ways to get them to "click" something. The easiest thing to do is one of those, "This is your bank/soc. media/cable co., you need to change your password. Click this link!" 7/9

Other times you use the social profile you've built to convince them to click on something. Maybe it's a picture, a song, a new game -- the point is to force them to click a spoofed/fake file that deploys the payload. 8/9

You put a lot of information out online, and a lot gets hoover up every day. Reverse engineering someone in the digital age is astonishingly easy since we've all been putting this stuff online for two decades. It's just a matter of putting the pieces together. 9/9