What do you get when you blend phishing and targeted social engineering? A highly effective concoction known as spear-phishing.
What is spear-phishing
“Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons.”
Bottom line? Cybercriminals want to lure you in to obtain personal information which can be used to access your bank accounts or create a new identity.
The reason why spear-phishing is so effective is that it’s so personalized. With typical phishing, you may receive spam-like, generic emails. But with spear-phishing, cybercriminals are taking a great deal of effort to make the message particularly interesting to YOU.
Spear-phishing telltale signs
Because of the personal level of spear-phishing emails, it’s tricky to identify them. But they have some things in common which you can recognize when you look at them carefully. This is what to watch out for when checking your mailbox:
- Check out the sender's address against the display name. Very often cybercriminals put the name of a person or entity you know well on the display, but the actual sender’s address is different. This is called display-name spoofing. To verify what’s hidden behind the display name, hover your mouse over it or click on it to see the actual address the email came from.
- Beware of all messages which pressure you to act urgently. We bet they’re scams as no legitimate organization would ask you to act immediately and send your personal information by email.
- Watch out for all links you receive, even if you’re absolutely sure they’re legitimate. To check them out, simply hover your mouse pointer over the link provided (but don’t click) and the actual link will appear somewhere near the bottom of your screen. You can also copy the link and paste it to the browser (but don’t use “paste and go”) to see whether it’s a legitimate one.
- Be suspicious of every attachment you receive, especially when you don’t expect one. Getting your device infected by opening an attachment takes seconds, while restoring it can take weeks.
- Watch out for unusual signatures, strange greetings & grammatical mistakes. Cybercriminals are getting more sophisticated in their work, but those errors occur often and are the plainest sign something’s wrong with the email you’ve just received.
- Watch out for emails which suggest that the normal process used by your bank or electricity provider was deviated. Spear-phishing emails may look real, but they will likely ask you to do something unusual.
What to do when you receive a spear-phishing email
When you receive a suspicious email, remember it’s not enough to simply delete it. Report it to your organization (so they can remove it from your colleagues inboxes) OR do the following from your personal device:
- Report a phishing scam to Microsoft by forwarding the entire message to them. You can also use a Phishing Report button which you can add to your Outlook.
- Go to the US-CERT service. It’s an official, US government operated website which deals with scams. Forward them the suspicious email.
- Visit Anti-Phishing Working Group and forward them the scam you received.
- Another place to go to is the Federal Trade Commission. They even have a section dedicated to coronavirus phishing scams!
- FBI has its own Internet Crime Complaint Centre where you can file a complaint.
- You can also forward the email to your email provider such as Google.
Remember that both phishing and spear-phishing are crimes and need to be treated as such. You wouldn’t just forget about someone stealing your wallet, so why should you forget when someone tries to steal your data!?
Let’s fight this battle together!