Karen Pinner never thought she’d be on the wrong end of a “spear phishing” attack, but after a bogus ATT representative offered her and her husband $40 credits, she got speared.
When the caller insisted she prove her identity by providing her date of birth and the last four digits of her Social Security number, the Louisiana grandmother complied. “He seemed legitimate,” she recalled. “He knew our phone numbers and billing information.“However, his insistence on getting part of her Social Security number made Pinner suspicious. Muting the phone, she asked her husband to check the caller’s number in a reverse phone lookup, which found the number wasn’t associated with ATT. She hung up, but not before the scammer charged $400 on new equipment to her account.
Difference between phishing and spear phishing
Phishing is a scamming technique aimed at masses of people. Using phone, email or text, scammers pose as a legitimate company or individual in an attempt to get personal information or have victims download an attachment or click on a link for malicious purposes.
Spear phishing, on the other hand, targets a specific individual like Pinner. Scammers pose as representatives from a recognized company, or they’ll spoof an email—which involves creating an almost identical email address—to mislead the victim. Then, the attackers use personal information to gain victims’ confidence so they’ll provide more personal information, open an attachment or click on a link for malicious purposes.
Typical of spear phishing, the hacker gained Pinner’s confidence by knowing her phone number and address. Baiting her with $40 credits, he obtained the information he needed to access her online account. After paying the balance due with a fraudulent credit card, he was approved to purchase more ATT equipment on her iPhone account.
Because she acted quickly, alerting ATT about the fraud, Pinner’s story ended well. The fraud department froze the account, canceled purchases, reinstated the charges and had the Pinners change their usernames, passwords and security questions. “We could have been on the hook for a lot of money,” she said.
How spear phishing attacks work
Spear phishing depends on two factors: knowledge of the victim and vulnerability of human nature.
Spear phishing attackers learn about you before making their first move. They may monitor social media and get your name, city, interests, purchases, memberships, employer and more. For example, if they see you recently purchased a car, they may pose as a representative from the dealership and even send emails or links to websites that appear to be legitimate.
Another common ploy: posing as a company executive to get you to reveal sensitive personal or corporate information. “Spear phishing is one of the best ways to get information from a company because employees are very likely to follow instructions when they think a communication is from a boss,” said Robert Lockrem, manager for network operations at a major security organization. In these kinds of targeted attacks, spearphishing emails are the most common weapon—used in 65% of all targeted attacks, according to Symantec’s 2019 Internet Security Threat Report.
What are the characteristics of a spear phishing message?
While spear phishing is hard to detect, the Federal Trade Commission lists some indicators that accompany these scams:
- Scammers send emails that mimic those of well-known companies, with logos or pictures.
- Attackers use lookalike domain names with minor differences, such as johnbrown@Wa1mart.com (instead of johnbrown@Walmart.com).
- Spear phishing phone callers may fake their caller ID, so you’ll think it’s from someone you trust.
- Scammers trick you into clicking on a link or opening an attachment. Common approaches include:
- Suggesting you qualify for a government refund.
- Saying there is a problem with your account, such as a rejected payment or suspicious activity.
- Fake invoices from fraudulent companies.
- Coupons for free gifts or other free offers.
It may look as nonthreatening as this:
Thank you for your recent purchase at The Home Depot.
To view your receipt, click on the following link:
http://HoneDepot.com/customerreceipt.com (note: “Hone” instead of “Home”)
How to protect yourself against a spear phishing attack
- Limit what you put on the internet. Attackers can use the smallest detail to gain your confidence and scam you.
- Limit access to social posts. Configure privacy settings on social posts so only select people are privy to them. Use smart passwords. Make them complicated and unique for each account. Use a password manager for added security. Employ multifactor authentication so it takes two or more credentials to log in to your account.
- Verify the source. Use resources like a reverse phone or email search tool to try and check suspicious phone calls and emails before responding to them.
- Check the link. Not sure about a link? Lockrem suggests the following: Hover over the link with your mouse to examine the link address without clicking on it. .If the email is supposed to be from PayPal, but when you hover over the link it says[ www.gonnagetyourmoney.com](), or some other unrelated website, be careful.
- Scrutinize addresses. Scrutinize sender email addresses and websites to make sure they’re secure. They may be spoofed and differ imperceptibly. For example: “www.homeḍepot.com” instead of “www.homedepot.com”. (Note the dot beneath the first “d.”)
- Never take the bait. Never click on links or open attachments in emails. Legitimate businesses will never ask you to do that. Instead, contact the person or company directly through normal means.
- Keep it private. Never give passwords or sensitive information over the internet, even if you think you know the person or organization requesting it.
- Stay secure. Use security software on your computer and mobile phone and update it regularly. Better yet, enable automatic updates.
- Don’t be spoofed. Caller ID can be spoofed to reflect a different caller number. Before supplying information, call the person or business directly.
- Call the boss. At work, if you receive an email that appears to be from your boss asking you to click on a link or open a document, Lockrem recommends you contact your boss to verify the email. If it’s bogus, forward the email to your security team.
- Report it. If you fall for a scam, contact Identity Theft.gov for help or, if at work, report it immediately to security.
Spear phishing is an increasingly popular scam that is easy to fall for and hard to spot. If you follow the above recommendations, however, you’ll find that a little caution can go a long way in protecting yourself from an attack.