Spear Phishing

Here’s a true and alarming story that’s also, unfortunately, becoming a common occurrence. Anyone reading this who works with sensitive company information should take note.

An executive assistant received an urgent email from her boss, the company president. The email directed her to wire funds immediately to a vendor—the vendor was going out of town and needed an outstanding invoice paid right away.

But something didn’t seem right to the assistant. The request was out of the ordinary, so she didn’t send the money, even though she was worried about what her boss would do.

But it was very good that she trusted her instincts because the email wasn’t from her boss at all—it was from a con artist. That company was lucky.

Every year, thousands of companies aren’t so fortunate. More and more firms are losing money or sensitive data to online thieves, thanks to a scam call spear-phishing, which is similar to another scam that you likely have heard of or even experienced firsthand.

Phishing: Getting caught in a big net.

Online scams come in a variety of styles, and one version is called phishing.

Online con artists will often send mass emails to an email list they’ve compiled…and your address might be included. The message, which seems to come from your bank or another large company such as PayPal, typically sounds urgent. It may say your account is about to be closed so you must take action immediately to avoid problems.

There’s usually a link provided that will take you to a website where you can take care of matters.

And it’s all a scam. It may look 99% authentic on its surface, but it’s likely a 100% fake. You and hundreds of other potential victims will receive the same message—and many will fall for it.

Spear phishing takes phishing to the next level. Here’s how.

Getting speared by a con.

Spear phishing is an email scam that targets an individual specifically—often at their place of work—by name and their work title or position.

The targeted employee likely has access to sensitive company information or company funds.
The email will appear to come from someone known within the company—someone with decision-making power and influence, such as the CEO, a supervisor, the marketing director or a top salesman.
The email sounds urgent and demands a specific action or transaction, which could be sending/wiring money, opening an email attachment or providing sensitive company records or information.
The loyal and diligently employee, often busy with other work, does as requested, and the scam is completed.

Be on the lookout.

There’s a clear telltale sign of a bogus, spear-phishing email that looks genuine but isn’t:

The sender’s email address.

The scammer will do his best to imitate the real email address of the person he is impersonating, but there will always be a slight (or not so slight) difference. You can use this valuable piece of information to your advantage whenever you get such a request from “someone you know.”

Here’s how:

If an email seems a bit suspicious from someone you know, check previous emails from the same person—previous messages that you know are legitimate—and compare them to the suspicious one.

What’s your best defense?

Can software or hardware help you catch a spear-phishing attempt? Not really. An antispam program will do its best to flag and quarantine emails that seem suspicious, but spear-phishing attacks aren’t part of a large spam-email campaign.

However, you can take suspicion and caution to a higher level: With your awareness, antennae and guard up, you, your family and coworkers can make subtle observations and spot hard-to-see red flags where antivirus programs cannot.

Remember, spear phishers are hoping to catch you when your guard is down—but if you know their tricks, you won’t be the target that gets speared.