Spear Phishing: a New, Targeted Twist on Phishing

You’re probably familiar with the cyberattack known as “phishing.” The hackers and crooks who engage in this send out automated mass emails, which appear to be from well-known institutions, such as banks, or ecommerce leaders, like Amazon.

They hope to catch as many unsuspecting people as possible, who become victims by falling for a ploy that gets them to give up credit card or banking information. Alternately, the email could come harboring a virus or other malware, designed to play havoc on the recipient’s computer or network. And, boom, your data is encrypted for ransom plavix drug.

Spear phishing, the latest twist on phishing, is a more insidious attack, because the hacker uses familiarity with his intended victim to make his entre and do his damage. In a spear-phishing attack, the hacker uses a victim’s web presence – yes, by stalking Facebook, Instagram and Twitter – to glean useful personal bits of info, and then crafts a specifically targeted, manually sent email that appears to be from someone the victim knows.

A spear attack email is likely to:

  • Use the recipient’s first name; instead of “Dear sir,” it’s “Hi Paul.”
  • Come “from” someone known to be associated with the recipient; a boss, coworker, or family member. Usually, however, the actual sender’s address contains just enough of a misspelling to go unnoticed.
  • Begin with a salutation that mentions a “mutual friend” or maybe something the recipient just posted on a social media site, such as a recent vacation or online purchase, in an effort to build trust.

The spear phisher hopes that the familiarity makes the recipient less hesitant to give up the information he’s seeking. For instance, if the recipient has posted pictures from a vacation, the phisher could ask for his password to a photo site (like Flickr), saying he’d like to purchase one of the recipient’s photos for feature he’s working on. Then the hacker will use that password, or variations of it, to try to get into his victim’s Amazon account.