Spear Phishing: What Is It and How to Avoid It
If you’ve had any cybersecurity awareness training in the past couple of years, you probably already know what phishing is. This practice of sending fraudulent emails that appear to be from a legitimate source has devastated Internet users as they lose everything from personal files to million-dollar NFTs. In 2022, phishing is expected to increase by six billion attacks.
Security awareness training has fortunately taught employees across all kinds of industries how to recognize and avoid phishing attempts. You might have even gotten some training in avoiding them, yourself. How much, however, do you know about one of its sinister subsets: Spear phishing?
What Is Spear Phishing?
While some of the hallmarks of a phishing message includes not directly addressing you by name or making unspecified claims meant to scare you into action, but you won’t find many of those mistakes in a spear phishing message. Instead, spear phishing is an email scam that is directly targeting you, your organization or job. It is designed to hack into your particular computer, so you can bet it’s designed to play on your particular weaknesses.
What does this mean? It means that you might not be able to recognize the scam through faulty websites or suspicious questions right away. Perhaps, by tracking your search history, the perpetrator knows to send a message that appears to be from your boss asking you to purchase them giftcards for a particular store that you really do frequent for work. Maybe a scan of your social media reveals an interest in a local intramural sports team, so the scammer poses as an athlete who wants to join but maybe needs some help with dues.
Spear phishing is a type of social engineering attack where the hacker has narrowed you down to the most approachable target, the one with the access to the files they want, and they craft a message specifically designed to ensnare you.
What Makes Them Target You?
While you can’t cast off your security clearance or whatever network the threat actor wants to infiltrate, you can update your security controls to more effectively prevent breaches. Automated scanners, for example, can check the network for unusual activity around the clock. Even simple steps, like password protecting your WiFi, keeps out people who may prefer an easy target.
The best defensive move that you can make on a daily basis is to stay vigilant and learn how to recognize new threats and scare tactics as they crop up. COVID-19, for example, brought on a slew of malicious campaigns to capture people’s credit cards and Social Security numbers, not to mention the fake vaccine documents floating around the Dark Web. Keeping abreast of rampant scams will at the very least you put you on guard if a similar message pops up in your inbox.
How Can You Avoid an Attack?
Remember that you are the fish, and they have the lure. What you need to do now, is know how to recognize bait.
- Does the message try to get you to act immediately without learning anything further about the situation?
- Do they ask you to click a link embedded directly in the email, instead of directing you how to find it on the official site?
- Are there attachments they want you to download?
- Does the email domain match the spelling you expect from this sender? (e.g. from gmail.com instead of gmial.com)
- Is this someone you would expect to message you in the situation they’re presenting?
- Does their message immediately incite fear, anger or excitement to get you to follow through with their request?
Even with all this in mind, mistakes happen and networks get breached. Two-factor authentication helps keep cybercriminals out of your account, even if you accidentally click on something you shouldn’t. Your most sensitive programs, like your banking app, should require some secondary form of identification to prove it’s really you (think Face ID, fingerprint scans, one-time passwords and QR authentication, to name a few). This way, even if they get your passwords, hackers won’t be able to log in and you’ll usually get a notification about the attempted breach, too.
Spear phishing has become a more popular means of cyber-theft since work from home practices grew commonplace; the same is true of ransomware, phishing in general and other attacks taking advantage of this massive societal shift.
Education is the key to staying as protected as possible. The more familiar that you become with the latest threats and tricks sweeping the modern threat landscape, the better equipped you’ll be to recognize, report and say goodbye to would-be hackers.
Follow our blog for the latest news and tips on staying cybersecure in today’s digital world!