Now more than ever, the internet is a fun place to hang out. From myriad influencers to non-stop cooking videos to tomorrow’s next TikTok stars, there’s enough entertaining content out there to go around. But unfortunately, the online world isn’t all feel-good fun and games. It’s also a breeding ground for cybercriminals, hackers, and scammers. These digital con artists aren’t interested in ‘likes’ and ‘shares.’ Their goal is to bamboozle you out of your personal information and take you for whatever they can get.
And one way they do this is through a malicious tactic known as spear phishing.
What is spear phishing?
- Hi Jane. Could you please log into your work account and review the following proposal?
- Terrance: We noticed an issue with your Facebook account. Follow the attached instructions to fix the issue.
- Attention Diane: There’s been unauthorized activity on your Wells Fargo bank account. Click here to log in and fix the problem.
How many times have you seen an email pop up in your inbox with messages like these? This is what your average spear phishing email looks like, and if you’re not paying attention, it can be very dangerous.
Not to be confused with email phishing, spear phishing is a more sophisticated type of scam. It’s a very simple, yet expertly targeted email-based cyber-attack aimed directly at you. Often, the scammer makes you believe you’re being contacted by a person or organization you trust.
With spear phishing, the attackers have done their research. They often know your name, where you live, where you bank, and even where you work. And they’re after your critical login credentials, financial account numbers, email passwords, and whatever else they can get their hands on to effectively steal your money, information, and even your identity.
Spear phishing attackers craft their emails very carefully to maximize the chance victims will open the email and trust its contents. Besides gaining sensitive personal information from targets, a spear phishing attacker can deliver dangerous digital payloads like malware, spyware, or ransomware.
Spear phishing can happen to anyone
Unsolicited surveys. Bank alerts. Urgent IRS notifications. Spear phishing emails come in many different forms. No one is immune to these attacks, not even prominent corporations, politicians, athletes, and celebrities.
Remember when WikiLeaks published Clinton campaign emails leading up to the 2016 presidential election? Campaign Chair John Podesta had been spear phished when he clicked on a link to a spoofed Google web page that said someone had used his password and urged him to change it. When he did, he gave Russian hackers access to his email account.
Russian hackers were also behind the cyber-attack on the athletes at the 2016 Rio Olympics. Through spear phishing, the group obtained and published confidential information about U.S. athletes, including Simone Biles and Serena Williams.
And lest we forget about Celebgate that same year. Still one of the biggest celebrity hacks in recent memory, a hacker used spear phishing to steal private photos of celebrities like Jennifer Lawrence and Kate Upton.
In August 2019 a Toyota subsidiary called Toyota Boshoku Corporation lost $37 million due to a business email compromise caused by spear phishing.
And just last year, Elara Caring, a U.S. healthcare provider, was hit with an unauthorized computer intrusion that targeted two employees. Through this attack, the spear phisher was able to gain access to names, birthdates, social security numbers, insurance information, and financial and banking information from over 100,000 elderly patients.
Protecting yourself against spear phishing
If anyone is fair game for spear phishing scams, then how do you avoid them? Unfortunately, there is no one, single defense, but there are a few practices you can immediately put into place to help keep you from being duped.
Know the signs
This might be the number one defense against spear phishing emails. Before clicking on that link in an email, take a moment to check for signs that the sender is who they claim to be.
- Is the person’s or business’ name spelled correctly?
- Take a good look at the sender’s email address. Is it close, but a little off? (E.g. Samsung.co, or Samsng.net.)
- Does the greeting seem weird? Do they address you by name? “Customer” or “Sir” might be an indication that something’s up.
- Look closely at the tone and spelling of the email. Is it free from typos? Is it overtly trying to get you to do something that you usually wouldn’t?
Contact the sender
Suppose you receive an urgent email from a person or institution you know—like your boss, your bank, or the IRS. The email asks you to download something important, reset a password, or log in to check a financial account. The first thing you should do, before anything else, is to simply reach out to the person you think sent the email. Make sure they’re really the sender. The extra few minutes or hours it takes to verify a request could mean the difference between avoiding an attack and having your information stolen.
Protect your personal information
There’s no real way to keep 100% of your personal details from someone who wants to spear phish you. Things like job profiles and job titles on a company website are information a hacker can get a hold of easily. But there are a few other things you can do to lock down important details about yourself.
- Set all your social media accounts to whatever private setting they offer. And then be very selective about what you share on your public timelines. The world doesn’t need to know every single detail about you.
- You can also enable two-factor authentication on your email and various personal financial accounts. It’s an extra step in the login process, but it blocks hackers from having the information needed to access your accounts if you accidentally hand over your credentials in a spear phishing attack.
- Update your software frequently. If your software provider notifies you that there is a new update, do it immediately. Most software systems include security software updates that should help protect you from common attacks.
Let’s face it. Hackers, scammers, and cybercriminals are always going to be out there trying to make life harder for the rest of us. And they’ll always cast as wide a net as possible in hopes of making a catch.
But as email security becomes more sophisticated, spear phishing tactics will become easier to flag. Even those phishing emails that do arrive at their intended destination will no longer be effective enough to fool wary users.
Just remember that the first line of defense always starts with you. Use your best judgment and be vigilant about protecting yourself while living your online life. If you do, you’ll be better prepared when the next spear phisher swims up and tries to strike.