FRAUD RESOURCE CENTER
En español | Spear-phishing is a highly targeted, particularly destructive form of phishing. Most phishing scammers cast a wide net, sending out generic mass emails in hopes of snaring a few victims. Spear-phishers research individual marks and craft personalized messages that appear to come from trusted sources.
For example, you might get an email, text or social media message from a friend, relative or coworker (or so it seems) with a request for personal information, a link to a company site or an attached document that requires immediate attention. Clicking the link or downloading the file infects your device with malware or spyware that steals your passwords, peruses your files or tracks your every keystroke.
To make the ruse plausible, spear-phishers dig up personal and professional information from a variety of sources, including public records, your employer’s business website and your social media profiles. They hack email and social media accounts and send spear-phishing messages to people on the victim’s contact list. They might utilize information obtained through data breaches of major companies, or set up fake customer-service accounts for big brands to glean info from unsuspecting customers (a practice called “angler phishing”). All too often, it works: In a 2017 study, researchers at the University of Florida and New York University found that 43 percent of subjects clicked on a link in at least one spear-phishing email over a 21-day period.
Spear-phishing has become a key weapon in cyber scams against businesses and organizations, used in more than 70 percent of such attacks, according to a 2018 report by security software provider Symantec. Another variation targets homeowners: An email supposedly from your mortgage company says your loan has been sold and provides a link to the new lender’s website. Any payments you make there go into the crooks’ pockets.
- An email that appears to be from a supervisor or colleague at work makes an unusual urgent request for money or financial information.
- An email or social media message from a familiar or trusted source asks for personal information, such as account passwords.
- The message contains odd grammar, poor word choices or misspellings.
- Do be as cautious with emails that address you directly as you would be with a generic message, especially if they contain links or attachments.
- Do eyeball email addresses, even when attached to a familiar name. If the message comes from an address the person doesn’t normally use, or one that contains a slight misspelling of a familiar domain, that’s a red flag.
- Do check links before you click them, by hovering your cursor over them to see the actual URL.
- Do be mindful that what you post on social networks might be exploited by spear-phishers. For example, if you posted about a recent business conference, a crook might pose as a fellow attendee and send you a related document that contains malware.
- Do scrutinize a corporate social media account before you engage with it. Look for signs that it is legitimate (such as the blue checkmark Twitter gives to verified accounts) and tipoffs of fakes (like misspelled words or variations on the company’s name in a URL). When in doubt, go to the company’s official website and look for its genuine social media connections.
- Don’t click on links or open attachments in an email, text or social media message unless you are certain it comes from a trusted sender.
- Don’t accept friend requests on social networks from people you don’t know. They may be scammers trying to get access to personal information from your posts.
- Don’t send sensitive personal information in response to an email request, even if it appears to be from a trusted source.
- Don’t trust a link just because it connects to a familiar file-sharing service like Google Drive, Microsoft OneDrive or Dropbox. More scammers are storing their spyware-laden files in the cloud, rather than sending documents with attachments that security software might block.
- Don’t trust a website just because it has “https://” and a lock icon in the browser window. Scammers increasingly are incorporating security certificates into their phony websites to make them look authentic.
- Report spear-phishing attempts to the FBI’s Internet Crime Complaint Center (IC3), or to an FBI field office in your area.
- You can also report phishing to the Federal Trade Commission at firstname.lastname@example.org or the agency’s online complaint center, and to the U.S. Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) at email@example.com.
Published: August 26, 2019
More From the Fraud Resource Center