FRAUD RESOURCE CENTER
En español | Spear-phishing is a highly targeted, particularly destructive form of phishing. Most phishing scammers cast a wide net, sending out generic mass emails in hopes of snaring a few victims. Spear-phishers research individual marks and craft personalized messages that appear to come from trusted sources, which helps them bypass traditional email security features like spam filters, according to a study by security company Barracuda.
You might get what looks like an email, text or social media message from a friend, a relative, a coworker or a company you do business with. It includes a request for personal information, a link to a company site or an attached document that requires immediate attention. Clicking the link or downloading the file infects your device with malware or spyware that steals your passwords, peruses your files or tracks your every keystroke.
Spear-phishers have numerous tricks to make the ruse plausible. For example, they might:
- dig up personal and professional information from a variety of sources, including public records, your employer’s business website and your social media profiles.
- hack email and social media accounts and send messages to people on the victim’s contact list.
- utilize information obtained through data breaches of major companies.
- set up fake customer-service accounts for big brands to glean info from unsuspecting consumers (a practice called “angler phishing”).
Spear-phishing has become a key weapon in cyber scams against businesses. Eighty percent of US companies and organizations surveyed by cybersecurity firm Proofpoint reported experiencing a spear-phishing attack in 2019, and 33 percent said they were targeted more than 25 times.
Another variation targets homeowners: An email supposedly from your mortgage company says your loan has been sold and provides a link to the new lender’s website. Any payments you make there go into the crooks’ pockets.
- An email that appears to be from a supervisor or colleague at work makes an unusual urgent request for money or financial information.
- An email or social media message from a familiar or trusted source asks for personal information, such as account passwords.
- The message contains odd grammar, poor word choices or misspellings.
- Do be as cautious with emails that address you directly as you would be with a generic message, especially if they contain links or attachments.
- Do eyeball email addresses, even when attached to a familiar name. If the message comes from an address the person doesn’t normally use, or one that contains a slight misspelling of a familiar domain, that’s a red flag.
- Do check links before you click them, by hovering your cursor over them to see the actual URL.
- Do be mindful that what you post on social networks might be exploited by spear-phishers. For example, if you posted about a recent business conference, a crook might pose as a fellow attendee and send you a related document that contains malware.
- Do scrutinize a corporate social media account before you engage with it. Look for signs that it is legitimate (such as the blue checkmark Twitter gives to verified accounts) and tipoffs of fakes (like misspelled words or variations on the company’s name in a URL). When in doubt, go to the company’s official website and look for its genuine social media connections.
- Don’t click on links or open attachments in an email, text or social media message unless you are certain it comes from a trusted sender.
- Don’t accept friend requests on social networks from people you don’t know. They may be scammers trying to get access to personal information from your posts.
- Don’t send sensitive personal information in response to an email request, even if it appears to be from a trusted source.
- Don’t trust a link just because it connects to a familiar file-sharing service like Google Drive, Microsoft OneDrive or Dropbox. More scammers are storing their spyware-laden files in the cloud, rather than sending documents with attachments that security software might block.
- Don’t trust a website just because it has “https://” and a lock icon in the browser window. Scammers increasingly are incorporating security certificates into their phony websites to make them look authentic.
- Report spear-phishing attempts to the FBI’s Internet Crime Complaint Center (IC3), or to an FBI field office in your area.
- You can also report phishing to the Federal Trade Commission at email@example.com or the agency’s online complaint center, and to the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) at firstname.lastname@example.org.
Updated July 6, 2020
More From the Fraud Resource Center