What is Spear Phishing?

We’ve all heard about phishing emails and scams. This is where a hacker requests general information from you using generic terms that apply to a large amount of people, looking for a couple people to fall for the scam and give the hacker personal information. This information is then used to hack other online accounts, access company or home networks, or steal identities for nefarious reasons.

But what about “spear phishing”? No, this isn’t sport of free-diving and using a cool looking spear gun to get fish. Spear phishing is a relatively new take on the phishing email. Instead of using generic terms and requests, they specifically target the user. Some times this is just using company names and information to make it seem like a real email. Other times the hacker really did their homework and knows who to ask for specific information, and who to make it look like it was from.

Here are some things to watch for while trying to determine if an email is spear phishing or legitimate.

1. Email from a “friend” Familiarity is key. Spear phishers know that an email from a friend is more likely to get a response. The hacker knows your name, your email address, and at least a little about you. The opening like is friendly and personalized. Some times the email acts like a new third party and uses terms like “a mutual friend”. Sometimes its about a recent purchase you’ve made. Be cautious when an email makes something sound urgent, or gives a specifc time-frame about some needed action, furthering your urge to act before thinking on this friendly email.
2. Using your web presence against you Use social media? Have your email address listed on the company website? Have a personal website that has your contact information? These things contribute to your web presence, and make you a better target for spear phishers. The more information they can find on you online, the more likely they’ll try to trick you; and since they know so much, the more likely they are to succeed. You buy a new car. You want to post that bad boy online as quick as possible to show your friends. Spear phishers see this, you’ll start getting emails about warranty, oil changes, and other services (coupons!!!!) from dealers; but its not the dealers. The spear phishers aren’t even there to service your car; they want your information and to run.
3. Loose lips sink ships Have a secret? How hard would it be to figure out that secret? Look at your online presence (yes, include your facebook page). How much information about you can be easily seen to put together a scam targeting specifically you? Even worse yet, do you use the common password recovery question “Whats the name of your favorite pet?” and that pet’s name is on your facebook page? The more “secrets” you put out, the easier it is to be a target.
4. Keys to the Kingdom Think about your passwords. Do you use just one, or variations of just one? Your passwords should be thought of as keys to the door to your house, office, car, safe, friends house, etc. If they are all the same, a burglar only needs one key to get in easily. Also, in a less malicious sense, if they are all the same then when you lend someone a key to help you at home, now they have access to your office and car, and safe, and friends house.
5. Modern tech should be modern You have a fancy computer with some fancy software on it that is flashy and new. Well, at least it was last month. Modern technology is fast, and makes things easy. But its constantly being updated, for good reason. If you aren’t installing those updates on a regular basis, you are missing out on new features, performance upgrades, and security improvements. Yes, you should update your Mac too. Holes are found in software all the time, and if you leave them open, those holes can really hurt.
6. Be Smart Think about it. Whould your friend come out-of-the-blue asking for your email password? Would Apple lock you out of your iTunes account in 24-hours becuase of strange activity being performed now? No. Your friend wouldn’t ask for your email password, thats rude. Apple wouldn’t lock you out of your account in 24-hours due to suspicious activity, they’d do it now, and then email you how to get back in. And on a side note, if you Google search for help and a phone number is presented in the search results, don’t call it. If you think something is too good to be true, or not how you expected to be notified about anything, then chances are its a scam.

Most scams can be caught if you slow down and consider the email they sent. Hover over the links with your mouse, do they have a strange website its trying to take you? Did you expect to receive the email requested a password reset? Does Mary from accounting normally ask for a wire transfer to an off-shore account? If the answer is no, then you have discovered a phishing email. Congratulations!