What is spear phishing? Can you prevent it?

Phishing scams – where you receive fraudulent messages pretending to be from a trusted sender designed to trick you into revealing personal data – have unfortunately become widespread and the criminals behind them have refined their techniques. For example, there are phishing phone calls (called “vishing” for voice-phishing) and phishing text messages (“smishing” for SMS-phishing).
Several padlocks and combination locks caught on a fishing hook
Protect yourself against scammers who are phishing for your password
And there is “spear phishing,” a specific form of email phishing that targets individual users.

Spear phishing vs phishing

As people become more aware of the general danger posed by phishing, the cybercriminals are targeting their scams more closely to make them harder to detect. To do so, they comb social networks and other public sites to find enough information to send a convincing email to an individual that seemingly comes from a person or business they know and contains personal references. Think, for example of the information about you that might be found through your social media profiles or posts – your email address, the names and profiles of some of your friends, relatives, and coworkers, recent purchases you have been excited about, or places you have visited.

How does spear phishing work?

Armed with the information they have found about you, an attacker can send you an email claiming to be your cousin who is currently on a trip – using their real name and location – begging you to send money because their wallet and credit cards were stolen. Or a friend asking for user names and passwords so they can access photos you have posted. Or an online shopping site citing a problem with a gadget you recently bought and asking you to click a link for the product recall information. The scammer’s aim is to gather enough sensitive information to access sites like your online banking or even steal your identity, or to trick you into downloading computer viruses or spyware.

Protect yourself from phishing scams

Probably the most important rule in avoiding any type of phishing scam is to think before you click. When you receive an email, make sure that the sender’s name is spelled correctly and that the email address actually matches the name. Mouse over links in emails to see the real URL. Make sure that nothing seems “off” about the email –  for example the spelling and grammar, or an urgent tone that is trying to pressure you. Whenever there is the slightest doubt, don’t click on links or download attachments!

However, as we explained above, even a message that seems to pass the sniff test could be a carefully crafted spear-phishing hoax. So it pays to take the extra precautions listed below:

Five steps you can take to prevent spear-phishing attacks

  1. Be smart about your passwords. Don’t use the same password or slight variations for multiple sites. Otherwise anyone who gets their hands on your password will have access to all of your accounts. Experts recommend using long passwords with a mix of characters for maximum security. Do not save passwords on devices that others can access.
  2. Be careful about posting your personal data on the internet. Check your online profiles to see what information is available to the public eye. Don’t post anything publicly that you wouldn’t want a potential scammer to see – and make sure your privacy settings are configured accordingly.
  3. Never, ever reply to an email or click a link that requests your personal data or login information. Remember that legitimate businesses or financial institution will not send you emails asking for your user name or password. In fact, they often will only contact you using a separate inbox that you have to access by logging into your account.
  4. Activate two-factor authentication on your sensitive accounts. This adds an extra verification step to the login process, such as entering one-time code generated by a separate application. This may seem like an unnecessary effort, but if you do accidentally give a cybercriminal your password, they still won’t be able to get into an account that has 2FA protection.
  5. When in doubt, reach for the phone! If your boss or friend is really having an emergency, they’ll be pleased if you check in. If your daughter actually needs the Netflix login, you can tell her over FaceTime or text her directly. Don’t be pressured into responding to an email when you can easily check its legitimacy with a quick call.
We hope this information will help you avoid spear-phishing scams. We look forward to your feedback below!

Images: 1&1/Shutterstock
 

7 people found this article helpful.

Related articles

What is ransomware?

Phishing emails: How to protect yourself

Spamhaus, bounced emails and blocked IP addresses