The New Threat: Spear Phishing
Most people have heard about phishing – the practice of using fraudulent emails to gain access to personal information for the purpose of identity theft. But like any activity, an occasional update in the process is needed. Spear phishing is the new black in identity theft.
The term phishing was coined because of the way that criminals try to gain access to personal information – basically, they cast out a bunch of bait in the form of fraudulent emails, and wait to see who bites. Spear phishing, however, is more targeted.
Just a fisherman would use a spear to target a single fish, spear phishing targets individuals. Whereas criminals might send a single, mass e-mail to a couple hundred thousand people in a phishing attack, spear phishing attacks are customized and sent to a single person at a time.
The spear phishing email usually contains personal information such as a name or some tidbit about employment. They are also unique emails, rather than being the mass “your bank account has been compromised,” type emails that are more common in phishing.
For example, one instance of spear phishing targeted corporate executives with personalized emails about a legal case in which the recipient of the message was allegedly being sued. It was a new scam, so it was easy for executives to assume that it was legitimate and click the link provided in the message. And that’s the point at which the spear pierces the target.
How It Works
A spear phishing email usually includes a link that leads to a spoofed, or fake, web site that requests personal information. It all looks very legitimate, and sometimes even the experts are fooled by spear phishing emails. When the recipient of the message clicks through the link they’re taken to a page on the Web that looks so legitimate it can be hard for even seasoned security professionals to tell it’s a setup.
Other spear phishing emails may contain a downloadable file. They’re just as convincing, often appearing to come from an employer or someone else that’s equally legitimate. But the file contains malware of some kind that, once downloaded to your computer, collects your personal information and transmits it to the criminal when you’re online.
Spear phishing is a difficult scam to catch because the criminals that use this method of stealing identities put extra time and effort into the process. It requires research to gain access to enough information to make you believe the spear phishing email is real, plus it takes time to put together the web sites and messages that are used as bait. The pay-off however, is usually much greater than the rewards of a simple phishing attack.
So, how do you protect yourself?
There’s no guarantee that you can protect yourself from a spear phishing attack. The criminals that use this method are intent on gaining access to your identity, and they’re willing to put in the hard work to reach pay-off. And that means that spear phishing emails are very difficult to tell from any other email that might land in your in-box.
There is good news. At this time, spear phishing attacks seem to be limited to corporate targets. Nearly all of the spear phishing complaints that have been investigated have come from corporate employees. That’s no reason to let your guard down, though.
As criminals become more adept at spear phishing attacks, their targeting will widen, and individuals will fall into the target zone. It would not be surprising, however, to find that spear phishing was limited to the upper class and the upper middle class. This group of people typically has more resources available, and that’s ultimately what spear phishers are looking for.
For a criminal to be willing to put forth the effort needed to successfully use a spear phishing campaign, the draw has to be big – far more than the $31,000 average for most identity theft cases. That means that if you don’t fall into that group of people who are in the upper and upper-middle class, your chances of becoming a victim are much smaller.
Of course, all of the standard cautions apply: never open attachments for stranger, never click through a link in an email, never assume that just because you know the address the email was sent from means it’s safe. In this day, with identity theft literally running rampant, criminals will use whatever email address they can gain access to.
Also never open an attachment, even from friends, colleagues, or co-workers unless you’re expecting it. An email with an attachment that arrives unexpectedly could certainly contain malware, even if it’s not spear phishing malware. Simply requesting that your friends and co-workers notify you before they send an attachment will reduce your risk of becoming an identity theft victim.
Don’t take any chances; if you receive a message or a phone call that seems out of place, scan it for viruses and keep a close watch on your credit reports. It will be frustrating in the beginning, but it will become a habit, just like locking your doors when you leave. And the damage to your identity that you can save over time will more than make up for the initial inconvenience.