Phishing is a criminal activity in which an adversary attempts to fraudulently acquire sensitive information by impersonating a trustworthy person or organization. A rising cyber threat called spear phishing takes this email threat to a new level.
Instead of sending thousands of emails to random recipients hoping a few will respond, spear phishing targets select groups of people with something in common. For example, they may work at the same organization, bank at the same financial institution, attend the same college, or order merchandise from the same website. The fraudulent emails are supposedly sent from organizations or individuals that the potential victims would normally receive emails, which make them even more alarming because the perpetrators already know specific information about the potential victims.
Spear phishing emails may contain personal data such as a person’s name, phone number, address or work-related information. For cyber thieves, the ultimate goal is to extract personal information to commit identity fraud.
How spear phishing works
First, cyber criminals need some inside information about their targets to convince these potential victims the emails they are sent are legitimate. The criminals often obtain this information by combing through websites, blogs and social networking sites where unsuspecting users reveal personal details of their lives.
Once they have obtained enough information, the criminals send emails that look legitimate to the recipients, requesting personal data by offering urgent and realistic explanations as to why they need it. Finally, the victims are told to click a link in the email that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, usernames, access codes and personal identification numbers. Once criminals have this type of personal data, they can access bank accounts, use credit cards, and create a new identity using the stolen information.
Spear phishing can also trick victims into downloading malicious code or malware after they click on a link embedded in the email. This is an especially useful tool in crimes such as economic espionage where sensitive internal communications can be accessed and trade secrets stolen. Malware can also hijack computers, which then can be organized into enormous networks called botnets that can be used for denial of service attacks. The most commonly used files in spear phishing attempts are: .RTF, .XLS and .ZIP.
Do not become a spear phishing victim
Take these precautions:
- Most companies, banks, agencies and other legitimate businesses do not request personal information via email. If in doubt, contact the business, but do not use the phone number provided in the email.
- Never click a link embedded in an email. Enter the URL manually in a browser.
- Never open attachments from strangers.
- Tell friends and co-workers to notify you before they send an attachment. This will reduce your risk of becoming an identity theft victim.
- Never assume that because you know the address from which the email was sent that it is safe.
- Always monitor personal financial accounts and check credit reports.
Report spear phishing
It is important to report incidents of spear phishing attempts and successes to the Federal Trade Commission (FTC) at www.ftc.gov/complaint. The FTC maintains a secure online database that is used by law enforcement authorities worldwide. Such reports help authorities determine patterns of
behavior, which lead to investigations and prosecutions.
The Navy Marine Corps Intranet email exchange servers have anti-spam filters to keep spear phishing to a minimum. However, when a suspected spear phishing message is received, send it with the word "SPAM" in the subject line, including the original header information, to:
NMCI_SPAM@navy.mil for Navy users or
firstname.lastname@example.org for Marine Corps users.
Spear Phishing Resources
The following list of resources provides additional information about spear phishing: