California State University, Los Angeles
Spear Phishing
a dangerous cyber scam
More
sophisticated than a spoofed e-mail message. More sinister than
a typical phishing scam. It’s "spear phishing," a combination of
phishing, spoofing, and
social engineering that brings dastardly digital deeds to a
new low level.
In general, phishing (pronounced “fishing”) is a technique using e-mail, Instant Messaging, or phone calls to trick someone into divulging personal, confidential, or financial information by impersonating (spoofing) a known or legitimate person, company, or organization.
A typical phishing scam might involve sending a spoofed message to millions of people in hopes of getting a percentage of them to “take the bait.” For example, the message appears to come from Ebay, Bank of America, the CIA, or another commonly known source. The logos look authentic, the phone numbers are correct, and the hyperlinks look real. But they are all “spoofed” to make the e-mail recipient believe they’re real. That’s the bait – making the message look real. When recipients believe the message is from a reliable source, they are more likely to comply with the instructions in the message. Spear phishing is even more devious.
How Spear Phishing Works
Spear phishing ratchets the scam up a notch. Not only does the message look real, but now it appears to come from someone who’s known to be in the same company, school, or organization as the recipient. The message may contain the correct logo, name, e-mail address, and phone number of a real company and person, whose contact information can easily be obtained from public Web sites or other directories. A spoofed message will look like it’s actually coming from someone at your company or school.
Once the recipient believes this is a legitimate message, the “phisher” has almost succeeded. So far, the recipient has no reason to suspect foul play. That’s the bait – the social engineering part of the scam – to make the recipient more apt to follow the instructions in the message, like clicking a link or voluntarily supplying confidential information. When that happens, spyware or other malware may begin to download. A virus, worm, or Trojan horse may be unleashed, taking over the reader’s computer. Or, the link may go to a spoofed Web site where the recipient is asked to enter confidential or account information. The message might ask the recipient to reply to confirm name, address, date of birth, driver license number, and Social Security number. If the recipient does any of these things, the scam has worked and done its damage.
Avoid Being a Victim
Here are some things you can do to avoid being the victim of spear phishing:
- Trust no one.
Be skeptical of all your e-mail messages – especially when it concerns account or confidential information. Expect that cyber scammers are out there trying to dupe you into compromising your computer or personal information. - Never e-mail confidential information.
Legitimate financial institutions do not request confidential information by e-mail. If you receive a suspicious e-mail message or if you’re in doubt, look up the telephone number and call your bank, credit card company, or lender yourself. Ask to speak to a manager, and ask if that institution sent you the e-mail message. Even if the message turns out to be legitimate, never give out your financial or confidential information by e-mail. - Do not click on links in e-mail messages!
Go to the Web site of the organization named in the e-mail on your own. Enter the Web address in your browser yourself. Do not click on any links to get there. - Do not open any attachments in a suspicious e-mail.
Call the sender before opening attachments, and make certain the message and attachment are legitimate. - If a message looks like spear phishing, report it
immediately.
Call your organization’s or university’s help desk to report suspicious “spear phishing” e-mail messages. - Consider using an anti-phishing tool on your browser that can warn you of known phishing or suspicious Web sites.
For more information on phishing, see the Anti-Phishing Work Group Web site at: http://www.antiphishing.org/.