Spear Phishing - Dangers of the Not So Deep
In this article, we will look specifically into spear-phishing and inform you exactly how it works, how you or your business could become a target and how best to prevent it.
Keep reading to find out more on spear phishing:
What is Spear Phishing?
You may have heard about a spear phishing attack and wondered what on earth it is and how it relates to online security?
Let’s firstly look at the definition:
The most common Spear phishing definition (also known as spear fishing) is a targeted cyber attack usually in the form of an email or other online messaging formats. The targets are often well-researched and the attackers normally disguise themselves in the email as a prospective buyer, trustworthy friend or business, with the sole purpose of gaining personal information, financial information or passing on malicious and harmful software. This is a clever type of cyber attack as the emails and messages can often appear genuine. Data on the victim is acquired through information found online such as names, friends, online purchases, locations, and employers, etc. Spear fishing is said to be one of the most successful methods of gaining private information online. You have probably been a target or perhaps even a victim of this type of cybercrime. Luckily, many of these emails go straight to your spam folder, but some inevitably fall through the net and find themselves in your inbox. Read on to find out how you can detect whether an email is genuine and how to avoid getting scammed.
What is Spear Phishing’s Difference to Phishing?
In essence, one of these types of cyber attack is targeted whilst the other is more of a blanketed attack. The two different types of online attack are similar in the way in which they target you through emails or online messaging services (including smartphones). The main difference is that online phishing is a generic term for an online attack that tricks users into giving away private information, credit card details, and usernames, etc.
If you have ever received an email such as this then you will be aware that the attacker will disguise themselves as a trustworthy business or person looking to gain information to “help” you in some way – the truth is that they are planning to use this information for malicious reasons. They can target you via email, social media, text messages and phone calls.
The Spear phishing definition points to something different in that the attack is targeted to the individual. It’s particularly nasty because the online attacker has already found some information on you online and will try to use this to gain even more information. A phishing attack often shows up in your inbox as a spoof email that has been designed so it looks like the real deal. It might be an email from your bank, telling you that it needs more personal information and you will be given a link to follow which will collect your information or download malware onto your system or even an email from your boss asking for sensitive data.
Spear phishing is where the email is targeted to an individual or company. It will usually contain personal information in order to gain your trust and seem legitimate. This makes this type of attack more difficult to detect and therefore we are seeing more and more of these on a daily basis.
How Does Spear Phishing Work?
A spear phishing attack uses clever psychology to gain your trust. Not only will the emails or communications look genuine – using the same font, company logo, and language but they will also normally create a sense of urgency. Take a moment to think about how many emails you receive on a daily basis. How many accounts are you managing and how many of those accounts require passwords and usernames, etc?
If you suddenly receive an email telling you that your username has expired and needs updating, or your account will be removed, then you are likely going to feel a sense of panic. This is how these targeted emails work. They need you to act fast and overlook the small details in the email that give the game away that it is a faux email account. Which is something we will look at in more detail later.
A spear phishing email will normally contain a link to follow or an attachment that you need to open. The attachment or link will either be used to gain personal information from you such as bank details or personal information or it will contain malicious software that will likely pass a virus onto your system.
How Dangerous is Spear Phishing?
This type of cyber attack should not be dismissed. These attacks can easily go undetected and can get its users into a whole heap of trouble. The best-case scenario is that you will open a malicious email and realize that it’s fake. Otherwise, a nasty URL or attachment could destroy your system and flood it with nasty malware. If these cybercriminals get access to personal information that is only available to you, such as bank details and home address, etc, then the end result could be catastrophic. Identity theft and money theft are rife on the internet, so it’s important to be aware of what you should look out for.
How Can You Detect a Spear Phishing Attack?
Luckily there are quite a few tell-tale signs in a spear phishing attack.
Here are the main signs:
As mentioned above, a spear phishing attack will always create a sense of urgency. The aim of the attack is to gain information from you or to get you to open up a link or attachment…fast. Look out for emails that seem unusually urgent (“you must act now” “follow the link today” etc) and emails that are attempting to fast-track information and break the usual rules, like adding personal information to a bank account via email, etc (which is something a bank will never ask you to do).
Normally, this is what will give a spear-phishing scam away straight away. Look at the language used – are there any obvious spelling errors or grammatical errors? If the email is peppered with spelling mistakes, then it’s likely to be fake. Even if it contains one or two, it will normally be fake too. Does the language used in the email fit the brand?
For example, does it contain language that seems too formal or too informal? If the email claims that it is being sent from a friend or colleague, then does it sound like their usual style or does something seem a little off? Another sign to look out for is overly emotive language that seems too personal or threatening. If you have any doubts, then contact the company or person via their genuine phone number or email address – never reply to an email if it doesn’t seem right.
One of the fastest ways of detecting a spear phishing scam is to check the email address. Phony email addresses can either look obviously fake ( think something like 1234woRd@gmail.com) or similar to the real deal but a little different. Look for inconsistencies. A quick check on Google should bring up official email addresses too.
If the company uses a logo on the sign off at the bottom of an email then how does it look? Often it will look the same but on closer inspection, the graphics may appear blurry or pixelated. This is normally because they have been copied and so won’t share the same quality of an original email.
How to Avoid a Spear Phishing Attack
Luckily, there are quite a few things you can do to avoid a spear phishing attack.
Here are our top tips on how to avoid being scammed:
If It Seems Too Good To Be True, It Is!
If you are being offered something in turn for your cooperation and it seems too good to be true, it is! You don’t get something for nothing and so if the email you receive is making grand promises, then it’s likely an attempt at fraud.
Check Language & Email Address
We can’t say this enough. If the email claims to be from a professional company, then the language of the email will reflect this. Many companies have a specific person who writes the emails and if it’s a big company, then they might even use their own professional copywriter. If you spot spelling errors or language that seems off, then you are probably being phished for information.
Use a VPN
Using a VPN (or Virtual Private Network) ensures that your data is encrypted and safe from prying eyes, so the likelihood of you being phished in the first place is minimized. In the unlikely event that you would be hacked through a VPN, your data would be useless and unreadable to anyone apart from the key holder (which is you).
Use AntiVirus Software
In this day and age there should be no reason not to use antivirus software to protect you or your company’s data. Antivirus software can detect a spam email before it even arrives into your inbox, therefore reducing the risk of you opening an email that could contain a malicious virus. Some antivirus software can even run scans through your inbox to detect potential threats.
Use Multi-Factor Authentication
This can prevent phishing attacks and adds an extra layer of security to your data. If you own a business, then it makes sense to implement this as part of your online security strategy. It means that if your system is hacked, then cyber attackers will need to get through an additional level of security to get extra secure information.
Keep Your System Up-To-Date
This is something that is often overlooked but never underestimate the power of a system update! Keeping your computer or smartphone updated is essential as operating systems are always updating for security patches so your online security is not compromised in any way. Updates can detect the latest phishing techniques to prevent you from falling victim to cyber-attacks.
It’s vital to put initial security measures in place to prevent your systems from being attacked. Using a VPN and good quality antivirus software will help a great deal. If an email, text or social media message seems off then investigate further. Look at the grammar and the way in which it has been written. Look at the graphics and the email address. Does it all seem legit? If you suspect anything wrong, then contact the company or person directly (not using any information provided in the body of the email). If the email is a scam then report it immediately.
We need to work together to fight ongoing cybercrime.