Protecting Yourself Against Spear Phishing Scams

Spear phishing is a type of cyber attack that focuses on a subset of people, such as employees of a business or users of a website, to attempt to undermine the group. The practice isolates this specific group and practitioners attempt to get these people to do something, such as give private information, in order to gain access to their systems. Communication attempts seem real and they appear to come from a known member of the organization.

For example, a spear phishing scam email may seem to come from the CEO, and it may ask for company log-ins and passwords.

Here's how it works:

Let's imagine that the CEO of Acme Co is Jane Doe. A practitioner of spear phishing will send an email to the organization under the name Jane Doe asking for user IDs and passwords for a system audit. The email states that those who do not send this information will have their network access terminated and could face disciplinary action. Of course, employees are going to send "her" the information, but it isn't actually going to is really going to John Hacker.

The practice of spear phishing uses scams that are focused on a specific group, and when the phishing attack is directed at officers of the company and senior executives, it is called "whaling."

There are a number of ways that spear phishers target their victims.

These people may choose a particular industry, choose employees with a certain rank, and then put a plan into place that was successful for them in the past.

For instance, a spear phisher may choose an HR employee who is easy to access, such as the one whose email address is on the company website for job seekers to send resumes to. The phisher then creates an email that appears to come from a favorite charity of the company, information also available online, and requests that the employee posts a link onto the company's intranet.

If the target employee complies with this, the scammer now has access to the intranet and has gotten past the firewall. When an unsuspecting employee clicks on this link, the servers become infected and the antivirus software becomes overridden.

Lawyers are common targets of these schemes because they are commonly responsible for holding escrow funds. A spear phisher may contact a lawyer by name, which makes him or her believe that the scammer is a businessperson from the US who needs assistance transferring money while overseas.

I was also recently targeted in a scam from a spear phisher, a scam that was focused on professional speakers. The message I received was inviting me to speak in England, and once we had agreed on a fee, the scammer asked me to purchase a "work permit" for $850.

You might think you are safe because you don't work in one of these industries, but this is simply not true. For instance, people may be targeted simply because they have a social media account. Twitter, Facebook and LinkedIn are all well known websites for spear phishers. These people obtain email addresses from social media sites, create email templates that look as if they would come from the social media website, and may even add names of friends or contacts.

Knowing how a spear phisher operates will allow you to understand how to avoid becoming a victim. Here are some safety tips that you should keep in mind:

  • Bypass any links that appear in your email, and go directly to the website by typing in the address into your browser or use your password manager. I use Roboform.
  • Look at any unsolicited email with suspicious eyes.
  • If you are a manager, test your staff's ability to recognize phishing emails.
  • Do not list all employee emails on your website. Use a web form as an alternative.
  • Scan the Internet regularly for email addresses that have been exposed to other sites without your permission.
  • Finally, make sure to go through all of the steps listed above and begin sending simulated spear phishing attacks to your end users. You can make this easier by using an automated service. This helps to ensure that end users remain on their toes and focused on security.