Spear Phishing Attacks

Spear Phishing Attacks

MyPath homepage overlayed on college campus

Spear phishing is an ultra-targeted phishing method whereby hackers — or spear phishers — pose  as a known or trusted sender to appear more legitimate than a typical phishing email. With the treasure trove of information available on the internet and social media, spear phishing has become more common and represents a danger to the system. And the strength of these cyberattacks is that they’re tailor-made for victims and grounded in quality over quantity. The goals of those performing spear phishing can vary, from inducing a user to click a malicious link or opening a malicious attachment, to providing confidential information, or even initiating an unauthorized financial transaction.

Education is the best defense against spear phishing. Common tricks used by spear phishers include:

  • Sending fewer, better targeted emails. Phishers might send 100,000 emails in the hopes of getting one click. A spear phisher would rather send 5 emails customized to specifically trick you.

  • Registering similar domain names that appear similar on casual inspection. A spear phisher might replace characters that appear similar. For instance, a lower case “l” (L),  and upper case “I” (i) can appear identical and cause confusion. In a real example reported to us, a spear phisher used cccccoio.com to masquerade as cccco.edu.

  • Creating a false sense of urgency. Spear phishers will commonly demand that something is done *right now* or threaten grave consequences if it is not done.

  • Impersonate people who are known to be on vacation/out-of-office. If you post it to social media, there is a good chance that bad guys will see it and can impersonate you when you aren’t checking your email. On public social media, it is never a good idea to tell everyone that you are on vacation. Save those vacation photos for when you return.

In all cases, the best advice is to trust your gut. When something seems strange or suspect, there's a good chance it's spear phishing. It only takes a few minutes to independently verify the request with a quick call to a known legitimate phone number, whereas it takes countless hours to undo the damage of a successful spear phish.