Skip to main content

Spear Phishing Alert

Spear Phishing Attack Cycle info-graphic.

What is a spear phish?

Spear phishing is email targeted at specific individuals or organizations in which the intention of persuading the recipients to reveal confidential information such as usernames, passwords, or other sensitive information. Unlike phishing, which involves mass-emailing, spear phishing is small-scale and well targeted. The attacker emails users in a single organization. The emails may appear to come from another staff member at the same organization, asking you to confirm a username and password or send sensitive data.

Criminals who send spear phish messages tend to personalize them, in order to make them appear official-looking and believable. These messages can often be spoofed to appear to come from a trusted person, company, or internal department. A few examples would be:

  • an email from a trusted department that might plausibly need such details, such as IT or Human Resources or Finance.
  • your IT department regarding matters such as mailbox sizes, website maintenance or a locked out account.
  • messages from another member of staff at the same company asking you to confirm a username and password.

The email may try to direct you to a bogus version of the company website. When you reply, the phisher takes the submitted details and misuses them.

The spear phisher can easily generate the victim’s addresses by using software that combines given names and family names. These addresses/names could also be pulled from the web or other email lists. The spammer may also only send these messages to a single domain, which makes it less likely that the message will be detected as spam.

How do they know who to target?

The more that cyber criminals learn about your company, the more believable their phishing attempts will appear. The spear phisher can acquire this information in many ways, including:

  • From previous successful attacks such as data-stealing malware.
  • From private company documents such as phone directories or organizational charts that show up in search engines.
  • From your company’s social networking pages.
  • From disgruntled former employees.
  • From data bought from other crooks on the cyberunderground.

What to do?

If a phisher, or spear-phisher, emails you, then YOU become the primary line of defense, no matter what technological protections your sysadmins may have in place. Your simplest and most general defense is this: caution!

In the words of NCSAM  “Stop | Think | Connect.”

A phisher, or spear-phisher, will almost always require you to act in a non-standard way.

So, keep these tips in mind:

  • Don’t allow yourself to be hurried or harassed into taking shortcuts. Ask for a second opinion.
  • Familiarize yourself with your company’s usual processes. If something looks iffy, ask for a second opinion.
  • If anyone asks you to vary procedure, ask for a second opinion.
  • Never trust outsiders just because they seem to know “insider” facts. Ask for a second opinion.
  • Never use information provided by an outsider (e.g. a phone number or web address) for verification. Use a second source.