Many scammers are generalists. They cast a wide net, targeting large numbers of people at random and hoping one or two might fall for the scam. However, there are also fraudsters who work in a more targeted manner – honing in on individual victims with higher quality, more personalized communications.
This targeted fraud is known as spear phishing. Because it’s more sophisticated than other types of phishing fraud, it can also be trickier to identify. Here’s what you need to know to protect yourself from becoming a victim.
Spear Phishing vs. Other Phishing
Phishing is the term given to a fraud tactic wherein the criminal contacts a potential victim via email, text message or telephone to try and convince them to reveal personal information, download malware, share passwords, or take another harmful action. Phishers usually develop a general strategy and message, then approach a large number of people at the same time. These communications tend to be clunky and not very convincing.
Spear phishing, on the other hand, is much more targeted. The spear phisher will choose one specific organization or even one specific victim, then approach with a customized message that appears to be coming from someone the victim knows and trusts, or has a reason to respond to.
Identifying Spear Phishing
By now, many people have trained themselves to recognize a normal phishing attack. They are wary of general messages asking for sensitive information, and can quickly spot the red flags of fraud.
The problem with spear phishing is that the communication won’t look like a normal phishing attack. It will look like the message is coming from a trusted and known individual, such as an old friend or a manager from another department at work. The fraudster may mention personal information, have a casual tone that sounds natural, and use an email domain name that looks accurate and official.
Because spear phishers carefully avoid the usual red flags, it’s important to know some of the most common attacks so you can protect yourself. Watch out for:
- Financial Issues: The fraudster will make it look like your bank or payment platform, like PayPal, is emailing you about an account issue. The email may request that you click a link to fix it, which could download malware or take you to a fake login page, where information you provide will be stolen.
Protect yourself by reading the email address very carefully. Don’t click on any links – simply log in to online banking via your own platform, like usual. If you have any doubt, call your credit union or bank and ask about the issue.
- CEO Scam: Here, the criminal poses as a CEO or high-ranking individual in an organization, and asks the victim to complete an action urgently. This could be downloading a file, sharing information, or transferring money.
Double check the email address – sometimes one or two letters will be different. Read the communication carefully for signs of fraud; for example the signature line might not match your workplace’s usual style. Don’t respond to the email. Instead, find the individual’s contact details through an official channel and get in touch that way.
- Family or Friend: A spear phisher may pose as a friend or family member and ask you to download something or click a link. A recent example happened on Facebook, where victims received a link from someone who looked like a friend, with a message that read: “Is this you?”
Be wary of communications from people you haven’t heard from in awhile. Don’t click any links, in text messages or Facebook messenger if you’re unsure. If the person’s tone is urgent, asking you to complete an action fast, be suspicious. Call them on another platform to confirm.
Other Ways to Protect Yourself
Overall, here are some ways to stay safe from spear phishers:
- Keep virus technology updated and immediately exit sites if a threat is detected
- Know official contact numbers for your credit union, bank and other financial institutions, and use these whenever you’re unsure about a communication
- Make a habit of reading senders’ full email addresses, not just their nickname which can easily be spoofed
- Be wary of any digital communication requesting immediate action – time pressure is a key tool of scammers
- Change passwords often, especially after a suspected attack
- Look out for odd wording and grammar, as in this example of spear phishing from the IRS