Friday, January 8, 2010

Gone Spear Phishing

Yesterday we discussed Phishing, the most common form of social engineering that targets a large number of people in the hopes that someone, anyone gullible enough will take the bait.

Today we move onto Spear Phishing, which are focused attacks and seem to come from people you know. Much as a fisherman uses a spear to target a single fish, spear phishing targets individuals. Where cyber criminals might send a single, mass email to a couple hundred thousand people in a phishing attack, spear phishing attacks are customized and sent to a single person at a time.

How does spear phishing work?

First, criminals need some amount of inside information on their targets to convince them the e-mails are legitimate. Often criminals obtain this “inside” information by hacking into an organization’s computer network or sometimes by combing through other websites, blogs, and social networking sites.

Once the criminals have your name and whatever other personal information they could retrieve they send emails that look like the real thing to targeted victims, offering urgent and legitimate-sounding explanations as to why they need your personal data. Just as in a phishing scam, the victims are asked to click on a link inside the email that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, etc.

Unlike phishing scams where the email is addressed to “Dear Valued Customer,” the spear phishing email usually contains personal information such as a name or some tidbit about employment. They are unique emails, rather than being the mass “your bank account has been compromised,” type emails that are more common in phishing.

Spear phishing is a greater threat because the email message is addressed to a name and not a generic addressee. In addition, the email may contain other legitimate information about the receiver. The email message might look like it comes from your employer, or from a colleague who might send an email message to everyone in the organization, such as the head of human resources. It might include requests for user names or passwords or might contain malicious software, like a trojan or a virus, but by all accounts, the message appears genuine.

How can you identify Spear Phishing emails?

Spear phishing is a more sophisticated type of social engineering than phishing, but the techniques used to avoid being scammed are the same with the exception of now the cyber criminal sends the message addressed to you with your name.

Just because the email is addressed to your name does not mean the email is legitimate, be suspicious. As long as the email is requesting you to click a link or provide personal information then be wary.

If you do not see "https" in the link, do not proceed. Roll your mouse over the link and see if the pop-up matches what appears in the email. If there is a discrepancy, DO NOT click on the link.

If you receive an email requesting your personal information, it is probably a phishing attempt. The whole point of sending phishing email is to trick you into providing your personal information.

If there is a sense of urgency, be suspicious.

If you see misspellings or bad grammar, do not proceed.

What to do if you responded to a phishing scam?

If you suspect you have responded to a phishing scam with personal or financial information, take the following steps to minimize any damage.

Report the incident

Contact your credit card company or bank if you have given your credit information. The sooner an organization knows your account has been compromised, the easier it will be for them to help protect you.

Contact the organization that you believe the forged information came from directly, not through the email message you received.

In the United States, report the circumstances to the Federal Trade Commission: National Resource for Identity Theft.

You can also report the phishing scam to the Anti-Phishing Working Group and to the FTC at Visit their website at for further information.

Change all your passwords

Change all your passwords and start with passwords related to financial institutions or information.

Change all your passwords and make sure they are STRONG passwords. What is a strong password?

An ideal password is long and has letters, punctuation, symbols, and numbers.
Whenever possible, use at least 14 characters or more.

The greater the variety of characters in your password, the better.

Use the entire keyboard, not just the letters and characters you use or see most often.

Don’t be caught off guard

Visit the Internet Crime Complaint Center (IC3) and LooksTooGoodToBeTrue websites for tips and information.

**I hope the research for my latest novel has made you a little more security conscious.**


Shawn Mosch January 8, 2010 at 3:00 PM  

Thank you for sharing this information with your readers. Everyone needs to know the warning signs of scams and fraud, because you always think that it cannot happen to you . . . until it DOES!

Shawn Mosch
Co-Founder of Scam Victims United

Denise January 8, 2010 at 7:25 PM  

Shawn - Thanks very much for your comment.

What a great site you have offering information and support to those scammed. I hope others will visit it.

  © 2009 DENISE ROBBINS | Design and graphics by Will Design For Chocolate | Blogger template 'Contemplation' by