Spear Phishing Attacks – This Time It’s Personal

In November 2017, we discussed the dangers of email phishing scams and how to avoid becoming a victim. In this edition, we will look at a type of phishing attack called spear phishing. Spear phishing involves phishing attacks that target a particular individual or group of people within an organization. Spear phishing attacks can be difficult to identify as the messages are tailored which can add legitimacy. Many times, the potential victims are convinced that emails are from a reliable source and are ready to take the requested action without further explanation. Since these emails seem to be sent from a ‘trusted’ source, users may let their guard down and be tricked into giving away sensitive information (e.g., credit card, account number, SSN, etc.), opening an infected attachment, clicking on a malicious link, or even sending money.

Just because an email is personally addressed to you or demonstrates a certain level of familiarity, remain wary and adhere to the following guidelines to avoid being spear phished:

Use special caution with an email that:
Requests confirmation of personal or financial information with high urgency.
Requests quick action by threatening user with frightening information.
Is sent by unknown senders.
Never divulge personal information via phone or on unknown websites.
Do not click on links, download files, or open email attachments from unknown senders.
Beware of emails that ask the user to contact a specific phone number to update user information.
Never divulge personal or financial information via email.
Beware of links to web forms that request personal information, even if the email appears to come from a legitimate source. Phishing websites are exact replicas of legitimate websites.
Beware of pop-ups; never enter personal information in a pop-up screen and don’t click on a pop-up.
Be sure to make on-line transactions only on websites that use the HTTPS protocol. Look for a sign that indicates that the site is secure (e.g., a padlock on the address bar).
Beware of phone phishing as well. Never provide personal information over the phone if you receive a call.
Never post personal information, such as a vacation schedule and home photos on social media. Never click on links and videos from unknown origin and never download applications from websites with certificate warnings.
Verify online accounts regularly to ensure that no unauthorized transactions have been made.
When in doubt about a request, pick up the phone and call the requester.