In the New York State Department of State Division of Consumer Protection’s tip sheet Phishing Scam Prevention Tips for Consumers we explained that phishing e-mails masquerade as legitimate e-mails usually requesting the consumer’s urgent assistance in verifying the security and privacy of the consumer’s account. Phishers aim to lure large numbers of consumers into surrendering their personal information such as username, password or credit card information with one mass appeal to hundreds of thousands. Because these e-mails are so broadly targeted, they lack a personal connection to the e-mail target, and more and more consumers are learning how to spot the fraud.
Last month, the Federal Bureau of Investigation (FBI) warned of a growing threat from a more insidious form of phishing—spear phishing—whose main purpose is to create a believable-sounding personal connection. Spear Phishers work to exploit the trust of a small group of targets by customizing their message to the personal backgrounds of the targets. Scammers get this information by searching websites, blogs or social networking sites where potential targets may have posted personal information. In some cases, the thieves may hack into an organization’s computer network for employee information.
Spear phishing e-mails will attempt to lure their recipient: (i) by falsely identifying the sender as a person or organization with which the recipient is familiar and with which the recipient may have a relationship, (ii) by including some personal details about the recipient in the body of the message, and (iii) by making requests that, given the familiarity of the contact, seem to have a legitimate basis.
Here’s how you may experience a spear phishing attack:
A) The thief will send you an e-mail that seems to come from a familiar person or organization. It might appear to be from a company which recently accepted your product order, or a social networking site that is providing a customer support service, or from a fellow employee seeking verification on an outstanding matter.
B) The e-mail will address you by name and will include in the body personal information such as facts about your employment, your student status, the product order you have recently placed or other familiar-sounding information.
C) The e-mail may ask you to click on a link that takes you to a fictitious (but realistic-looking) site which will request personal information such as passwords, account numbers, access codes and the like to be used not only to steal your identity but also to access your employer’s computer network.
D) The e-mail may also ask you to open an attachment which secretly installs malware on your computer which, in turn, can steal sensitive corporate information such as trade secrets.
What you can do to avoid being a victim:
1. Be careful about the types of personal information that you post on websites, blogs and social networking sites. Do not post any information that identity thieves or scammers could use to target you.
2. Be suspicious about any e-mail, no matter whom it is from, that requests your personal information. Call the person or organization identified in the e-mail to confirm that the request is legitimate.
3. Let your organization’s security group know if you have received an e-mail that appears to be a spear phishing attack.
4. Follow the “Do’s” and “Do Not’s” in the tip sheet mentioned above, especially the tips to never provide any personal information in response to an unsolicited e-mail, never click on links or open attachments in the e-mail, and always keep your anti-virus and anti-spyware software as well as your firewalls up-to-date.
So far, the number and size of spear-phishing attacks have been small versus other types of phishing. However, as the FBI has warned, the threat is growing and needs to be treated very seriously. Your best defense against any type of phishing is to carefully follow anti-phishing tips and to check often for the latest guidance on new and growing threats.