Spear-phishing is a highly targeted, particularly destructive form of phishing. Most phishing scammers cast a wide net, sending out generic mass emails in hopes of snaring a few victims. Spear-phishers research individual marks and craft personalized messages that appear to come from trusted sources, which helps them bypass traditional email security features like spam filters, according to a study by security company Barracuda.
You might get what looks like an email, text or social media message from a friend, a relative, a coworker or a company you do business with. It includes a request for personal information, a link to a company site or an attached document that requires immediate attention. Clicking the link or downloading the file infects your device with malware or spyware that steals your passwords, peruses your files or tracks your every keystroke.
Spear-phishers have numerous tricks to make the ruse plausible. For example, they might:
- Dig up personal and professional information from a variety of sources, including public records, your employer’s business website and your social media profiles.
- Hack email and social media accounts and send messages to people on the victim’s contact list.
- Utilize information obtained through data breaches of major companies.
- Set up fake customer-service accounts for big brands to glean info from unsuspecting consumers (a practice called “angler phishing”).
Spear-phishing has become a key weapon in cyber scams against businesses. More than 80 percent of US companies and organizations surveyed by cybersecurity firm Proofpoint reported experiencing a spear-phishing attack in 2020, and 38 percent said they were targeted more than 25 times.
Another variation targets homeowners: An email supposedly from your mortgage company says your loan has been sold and provides a link to the new lender’s website. Any payments you make there go into the crooks’ pockets.
- An email that appears to be from a supervisor or colleague at work makes an unusual, urgent request for money or financial information.
- An email or social media message from a familiar or trusted source asks for personal information, such as account passwords.
- The message contains odd grammar, poor word choices or misspellings.