What is Spear Phishing?
Spear phishing is an e-mail spoofing fraud attempt that targets a “specific organization” or “individual”, seeking unauthorised access to confidential data.Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain.
Difference between Phishing and Spear Phishing
- As with e-mail messages used in regular phishing expeditions, spear phishing messages “appear” to come from a “trusted source”
- Phishing messages usually appear to come from a large and well-known company or web site with a broad membership base, such as eBay, PayPal or CIBC FirstCaribbean’s help desk. In the case of spear phishing, however, the “apparent” source of the e-mail is likely to be an individual from the recipient's own personal bank and generally someone in a position of authority, such as a manager or the administrator who manages the bank’s computer systems
Example of Spear Phishing
- The perpetrator finds the CIBC FirstCaribbean web page, using available details to make the message seem authentic, the perpetrator drafts an e-mail to a customer
- The e-mail appears to come from an individual who might reasonably request confidential information, such as a computer administrator or person of authority within the bank
- The email asks the customer to log into a bogus web page which then requests the customer’s user name and password or to click on a link that will download spyware or other malicious malware
- If a customer falls for the spear phisher's ploy, the attacker can masquerade as that individual and use social engineering techniques to gain further access to sensitive data.The truth is that the e-mail sender information has been “faked” or "spoofed." Whereas traditional phishing scams are targeted at random individuals, spear phishing scams are targeted at specific individuals. If you respond with a user name or password, or click on a link or open an attachment in a spear phishing e-mail, you might be putting your financial resources at risk
How to Identify and Avoid Spear Phishing E-mail
- Grammatical and spelling errors in the e-mail
- Even if a link has a name you recognize somewhere in it, it doesn’t mean it links to the real organization. Roll your mouse over the link and see if it matches what appears in the email
- Be wary of attachments and links within e-mails
- Senses of urgency, criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim
- Never reveal “personal or financial information” in a response to an e-mail request, no matter who appears to have sent it.
- If you receive an e-mail message that appears suspicious, call the person or organization listed in the “From” field before you respond to or open any attached files
- Report this type of e-mail immediately to email@example.com. Attach or include any fraudulent e-mails that you suspect might be a spear phishing attack