Whether you rely on email for business or simply use it on occasion for personal use, it is important to be wary of scams that cybercriminals use in attempts to steal something from you. Among the most popular scams is phishing, where thieves set what can be considered a virtual trap using email. As its homophonous name implies, the thieves bait victims like a fisherman might bait his fish.
Spear Phishing vs. Phishing
Phishing is the broader term for any sort of social engineering scam that attempts to trick victims into sharing whatever it is the perpetrators are after — passwords, usernames, identification numbers, etc. While there are a handful of classified phishing strategies, the most common type of phishing attack is what experts call spear phishing.
Spear phishing attacks are targeted at specific individuals, whereas general phishing attacks are usually sent to masses of emails simultaneously in the hopes that someone takes the bait. With spear phishing, thieves typically target select groups of people who have one thing in common. Maybe you all work at the same company. Maybe you’re all students at the same university. Or maybe you all use the same local bank. Whatever they seek out, they do it because it works. Spear phishing techniques are used in 91% of attacks.
What you know and who you know
Spear phishers need something to start with. This inside information might be a company-wide email alias or other insider information that might help convince targets of the emails’ legitimacy. Or for even more targeted attacks, the cybercriminal might study his or her target’s habits or environments.
One popular approach sees individuals receive emails from someone whom they trust, like a personal assistant or company IT manager. The email will look nearly identical to what the target is used to receiving from that person. It will likely have all relevant logos and names attached. This email convinces the victim to click a link to reset a password. Upon opening the link, the victim is directed to a website where they are asked to enter the current username and password. And just like that, the spear phisher has compromised the user’s login information or whatever else they might have baited the victim into providing.
Avoiding the narrow scope
Spear phishing makes up the majority of phishing-type attacks in part because the end reward is clear. These criminals are typically looking for information or access that can lead to financial gain — whether immediate or longer term — or valuable insider information. In 2016, identity theft and fraud cost consumers over $16 billion. While spear phishing attempts were not responsible for the full haul, it is clear that the stakes are high.
Unfortunately, anyone who uses email can fall for a spear phishing scam. If you are one of the unlucky who takes the scammer’s bait, here is what your next steps might look like:
- Change your password. If you provided your password or any sort of personal information, change your passwords right away. Even if the scammers did not take your password, they might have the ability to access your accounts with whatever information they did take. To be safe, create new passwords for all of you accounts — and make sure to keep it strong.
- Contact credit card companies and agencies. If you’ve given away any personal information, you can either monitor your credit on your own, or better yet, contact one of the major bureaus to place a fraud alert on your account. Likewise, reach out to your credit card companies to bring them up to speed on the situation.
- Update your software. For security reasons, you should always keep your software up to date. It should have the latest patches for viruses and other malware. While these threats are not always attached to spear phishing attacks, it is not unheard of.
While traditional security measures help with many of the threats directed toward computer users, the social engineering aspect of spear phishing makes it one of the more difficult ones to detect.
In order to avoid spear phishing attacks, it is important to pay attention when opening emails. If an email ever asks for personal information — no matter who it comes from — a little caution can go a long way in keeping your data safe. When it appears that a normally trusted source is asking for something like your Social Security number or password, be on the lookout for mistakes in spelling, links that take you to different URL, and subtle threats of losing your access. When in doubt, reach out to the sender or company through different means in order to verify the request.
As these spear phishing attacks evolve, it is important for individuals and companies to educate themselves on safe email practices. Learn more on how to recognize phishing attacks here.
Originally published at https://www.microsoft.com/en-us/microsoft-365/growth-center/resources/what-is-spear-phishing-how-to-keep-yourself-and-your-data-above-water