Don't Get Caught by Spear Phishing
Published, January 24, 2013
In a previous Privacy Tip titled, “Don't Get Caught by Phishing,” phishing was described as a criminal activity in which an adversary attempts to fraudulently acquire sensitive information by impersonating a trustworthy person or organization. A rising cyber threat called spear phishing takes this email threat to a new level.
Instead of sending thousands of emails randomly, hoping a few victims will respond, spear phishing targets select groups of people with something in common—they work at the same organization, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The emails are ostensibly sent from organizations or individuals the potential victims would normally get emails from, making them even more deceptive. Spear phishing emails may contain personal data such as your name, phone number, address, or work related information. For cyber thieves, the ultimate goal is to extract personal information to commit identity fraud.
How spear phishing works
First, criminals need some inside information on their targets to convince them the emails are legitimate. They often obtain it by combing through other websites, blogs, and social networking sites.
Then, they send emails that look like the real thing to targeted victims, offering all sorts of urgent and legitimate-sounding explanations as to why they need your personal data.
Finally, the victims are asked to click on a link inside the email that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, etc.
Once criminals have your personal data, they can access your bank account, use your credit cards, and create a whole new identity using your information.
Spear phishing can also trick you into downloading malicious codes or malware after you click on a link embedded in the email; this is an especially useful tool in crimes like economic espionage where sensitive internal communications can be accessed and trade secrets stolen. Malware can also hijack your computer, and hijacked computers can be organized into enormous networks called botnets that can be used for denial of service attacks.
How to avoid becoming a spear phishing victim
Reporting spear phishing
- Keep in mind that most companies, banks, agencies, etc., don't request personal information via email. If in doubt, give them a call (but don’t use the phone number contained in the email—that's usually phony as well).
- Never follow a link to a secure site from an email—always enter the URL manually.
- Never open attachments from strangers.
- Requesting that your friends and co-workers notify you before they send an attachment will also reduce your risk of becoming an identity theft victim.
- Never assume that just because you know the address the email was sent from means it's safe.
- Always monitor your financial accounts and check your credit reports.
For all email account holders: File a report with the Federal Trade Commission at www.ftc.gov/complaint.
For NMCI Outlook users: The Exchange servers have anti-spam filters to keep spear phishing to a minimum. When you receive a suspected spear phishing message, create a new message or forward the entire message, including the original header information, for investigation and to effectively block future messages from the sender. Send suspect email with "SPAM" in the subject line to: NMCI_SPAM@navy.mil for Navy users, or firstname.lastname@example.org for Marine Corps users.
Spear phishing resources
The following list of resources provides additional information:
View more Privacy Tips.