Spear Phishing: Like Shooting Phish in a Barrel

You’ve probably heard of phishing, but it has evolved significantly. There’s a new threat out there now, one that’s more targeted, more devious, and designed specifically to trick YOU: spear phishing.

As a quick refresher: phishing is defined as “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” And with so much information about you online, malicious hackers can take a little info and do a lot of damage.

Most phishing happens by casting a wide net through mass emails in the hopes that one or two gullible individuals will send the info requested. But, as technology gets better because phishing emails get blocked, criminals get smarter. Welcome to spear phishing!

Spear phishing takes phishing to a new level.  You’re no longer looking for any target. You’re now focused on a specific target. With spear phishing, criminals are finding out info about a specific person to target them into giving up information. Take the following scenario:

Phil has targeted Jenny, who works for XYZ company, which he found out by looking at LinkedIn. He finds her on Facebook to see what her hobbies are, who her friends are, what she does after work, who her boss is, and maybe her upcoming vacation plans. Phil does more digging to find out that Jenny’s boss is out of town on business for the next two weeks. Phil creates a bogus email account that looks a lot like Jenny’s boss’ email. At 4:45 on a Friday before her vacation, Phil sends an email to Jenny asking her to resend him bank account information that he needs so he can finalize a deal. He mentions her vacation with her sister in the email to make it seem like her boss. Trying to respond quickly, Jenny doesn’t see the account is fake and sends the info. Phil then sends millions of dollars to himself offshore.

Unfortunately, just one individual can incapacitate an entire business. In March of this year, an Atlanta city employee clicked on a link in an email that took every computer in the city down for 5 days and resulted in $9.5 million in recovery funds. They’re still recovering four months later.

While anti-virus and spam filters can eliminate many of these threats, there are things that can still slip through the cracks. And sometimes the curious just can’t seem to leave innocent looking emails alone, even if they’re in their junk mail folder.  So what do you do? Here are three things that can help protect yourself and others:

  1. Educate everyone. It only takes one person to cripple the entire organization.
  2. Never click anything on an email if it looks phishy, no matter how innocent it looks.
  3. If you’re not sure if a request is legitimate, pick up a phone and ask. Your boss will thank you. Your spouse will thank you. Your co-workers will thank you.