Where phishing is a broad stroke attack that tries to net as many victims at once, spear phishing focuses on a select few targets, often just a single individual. A typical spear phishing email often contains (seemingly) confidential or personal details in order to appear legitimate. Business colleagues and friends or family names may also be included in the email, increasing the odds that it will be believable.
So how do these spear phishers gain the type of knowledge needed to pull this scam off?
Social networking sites such as Facebook, Bebo, or MySpace are one method. Anyone on your friend list has access to a fair amount of personal information about you, your family, and your job. Avoid promiscuous friending - only friend people you actually know and trust.Search engines can also reveal many personal and business details about you. It's a good idea to keep tabs on what public information search engines have on you. You don't need a paid service to do this; just pull up your favorite search engine, type in your name, and read through the results.
Those in sensitive sectors should also monitor the type of information discoverable about their spouse and children. Social engineering attackers have been known to target family members as well.
Classified ads can persist in search engine caches even after the ad has been pulled or expired. Be cautious when posting to Craigslist or other online classified ad services - use disposable email addresses and don't divulge personal details such as home address in the ad.
Press releases and news articles can contain enough information for social engineers to compose a plausible sounding email targeting a specific business executive.
Blizzard games such as World of Warcraft and StarCraft 2, can reveal real names associated with the accounts. Cataclysm and StarCarft 2 will merge those real names with Facebook accounts. This creates another vector for social engineering attackers. Those most at risk of in-game spear phishing are players that work in sensitive sectors such as the military or government.