What is Spear Fishing

What is Spear Phishing?

Spear Phishing is the practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information. Fancy words for a hacker sending an email to trick you into giving out your passwords or other information that could compromise your data, bank accounts, or mail accounts.  We’ve put together an infographic below to help you identify a phishing emails and what to do if you encounter one and a short guide to the most common phishing attacks. Phishing emails can take many forms, but their purpose is to get as much of your personally identifying information as possible to commit some type of fraud.  It would not be uncommon for the attack to also leave malware on your pc.  That malware could be could be: using your pc to attack other pcs, watching your keystrokes for bank account information or passwords, or scanning your drive for additional information.

There are 6 common phishing attacks – so here are a few ways to protect yourself against them.

1. Deceptive Phishing (Trick you into giving details that allow access to accounts)

You may get an email from what looks like your bank asking you to login to their site to verify your account, or to be sure you don’t lose access to your account. Chances are it will have a link in the email that conveniently goes to the “bank” site.  Do not use the link.  Manually go to your banks’ website.  If something really does need your attention at the bank, you would be alerted on the online dashboard.

2. Spear Phishing (Using a known contact or brand, tricks you into giving details that allow access to accounts)

Similar to deceptive phishing, but it uses a person or company known to you.  You may get an email from what looks like a friend of yours or a company you’ve done business with.  Chances are in the email there will be a link to a site that you would normally log into like your bank, a social media site, or your PayPal account.  Without thinking, you enter your credentials to get access to the site, but something looks very off.  It’s not what you’re expecting, and you’ve just given your account credentials to a spear phisher.  Always manually type in any web address instead of using an email link.

3. CEO Fraud (Compromising an executive email account in order to transfer funds)

Called a Whaling attack, this type is a way to impersonate an authority figure via email and direct financial institutions or employees to transfer funds fraudulently. Many times, CEOs and other executives don’t participate in security awareness training with their employees so they fall for phishing and spear phishing attacks.  Their passwords are then compromised and email accounts are hacked.  If you’re a C-level executive, attend ongoing security awareness training.

4. Pharming (Redirecting a user to a fake website to login to or make payments to)

This type of attack reroutes a web address to a new location, or website.  Any website can copied to look like the real site and you could be routed to it and not notice the difference right away.  An easy way to prevent yourself from becoming a victim to this type of attack is to be sure any site you are giving credentials to has an https: on it.  Just to the left of the https, the security certificate of the site will show up as a lock, with the words secure on it (in Chrome), a lock (in Edge), or at the right side of the address bar as a lock (Internet Explorer).  Without any of those security features on a website, do not give out your credentials.

5.  Dropbox Phishing (phishing to get Dropbox credentials)

Like a regular phishing attack, a Dropbox phishing attack is after your credentials – to Dropbox specifically.  Usually this attack will come via email and ask you to go to Dropbox to view a file using their handy link.  Do not use the link, only go to Dropbox by manually typing in the address.  Millions of people use Dropbox as a way to store and share files.  Once the attacker has your credentials, they have access to everything you do.  One way to help prevent an attacker from getting your data is to enable 2 step verification.  Normally, you login to anything with a user name and password.  2 step verification requires that you enter a code as well, usually send to your phone via text.  Even if an attacker got your credentials, they wouldn’t have the code to actually get into your account.

6.  Google Docs Phishing (phishing to get access to your Google account)

Much like the Dropbox scam, attackers want access to your google account.  Google knows more about me than my mother, and probably about you too if you’ve used their mail, browser, docs, etc.  The attackers will phish you typically by email, wanting you to access a Google Doc and providing you a link.  Never use the link.  Go directly to Google and login there.  Consider implementing 2 step verification at Google as well to protect your account(s). For more information about Spear Phishing, check out this article from our friends at Webroot.