I learned a new term today. Spear phishing. I’ve talked about phishing before in several blogposts, but spear phishing was a totally new term to me. As you might have guessed, it’s just like phishing, but way more targeted. They’ve got enough information about you to make you think they are legit. And that seems to be enough for you to fall for their schemes and give them even more information about you. But don’t fall for it!
- Trusted Source
- Social Engineering
Spear phishing via flattery:
This is when someone contacts you, either via an email, text, or other direct message. The message is from someone that you admire. They compliment you and ask you for some sort of assistance. Once you fall for the deception, they’ll ask for more and more of your personal information. In this article from Wired, the author actually provided her Twitter information, including her password. Here’s a short blip of her story:
“A few weeks ago, I got a direct message on Twitter from one Larry Summers. Yes, the Larry Summers, if that nasty little aquafresh checkmark beside @LHSummers was to be believed. Larry Summers of Harvard. Larry Summers of the World Bank. Larry Summers of the Treasury Department, for the love of god.”
Now that you know the end of the story, you can see where this is going. But, if you had been a fan of Secretary Lawrence Sanders, you might have been fooled too.
Spear phishing via a “Trusted Source”:
In this case, you receive an email from (what appears to be) someone you know. Most likely it is a work colleague, someone that you have corresponded with in the past. They’d like you to take a look at a document (which they have conveniently attacthed) before it gets published. Or, they’ve forgotten the password to access the company database for a specific file. It all seems very inocuous, and, because it is from someone that you trust, you fall for the bait.
Spear phishing via Social Engineering:
Social Engineering requires that the “spear phisher” do a bit of research about the target. They’ll learn the person’s title, the name and title of their boss, the name or subject of the person’s current project, maybe the name of one or two of their subordinates. Then they will send an email which appears to be from a company the target is working with.They’ll make a specific request, adding enough personal information to be believable.
How do you protect yourself from Spear phishing?
- Don’t click on links until you have verified the end target of that link. Is it going to companyname.com or companynome.com? Tricky, right? Look carefully!
- Don’t open any documents in an email until you have confirmed with your colleague that they actually sent it.
- Don’t call the phone number or reply via the information included in the message. Use a phone number or email that you already have on file for that person.
Have you been the target of a spear phishing attack? How did you deal with it? Did you fall for their deception? Let us know in the comments below!
Chris Eddy of Geek For Hire, Inc. has been providing computer service to families and small businesses with Mac’s and PC’s for the past fifteen years. His company is highly rated by both the BBB (Better Business Bureau) and by Angie’s List. You can find more on our website, or give us a call 303-618-0154. Geek For Hire, Inc. provides onsite service (Tier 3) to the Denver / Boulder / Front Range area as well as remote service throughout North America.
We’ve been using Amazon Prime for the past few years. We like the free 2-3 day shipping and the online streaming. I haven’t tried the Kindle lending library yet. I’ll try that next! Prime is normally $99/year, but you can try it for 30 day for free by clicking on this link: Try Amazon Prime 30-Day Free Trial
(Any links to products or services in this post may be affiliate links. If they are, we may receive a small commission when you click on it. Rest assured, your price will be the same!)