In modern business, it’s not just viruses that endanger our computer data security. Phishing, a form of social engineering, puts just as much, if not more data, at risk as computer-coded threats do. Even more insidious and dangers is spear phishing. Spear phishing is more targeted: it may be an email message that looks like it comes from your boss, or from someone in your company who might mass email everyone such as department heads of IT or human resources.
Phishing: A Bigger Threat Than You Might Think
Just how susceptible are people to spear phishing? Researchers have been performing studies to try to find out. In a 2004 experiment, 500 West Point cadets were sent a spear phishing email. 80% of them fell for the fake email and revealed personal information.
Four of five cadets fell for a spear phishing attempt. That’s how cleverly disguised these spear phishing emails often are. This isn’t spam like we saw in the old days of “V1AG4A” ads and crude attempts to lure you with fake, but real-sounding sender names. Spear phishers target groups of people who have something in common. Spear phishing campaigns might target customers of a financial institution, shopping website, or college. Because people expect to receive email from their bank, places they shop, or their alma mater, they are more likely to fall for these deceptive spear phishing emails.
How Spear Phishing Works
Spear phishing is a targeted effort, just as the name implies. To begin with, the criminals assemble an email list of the targeted institution. Sometimes this is done by hacking into the organization’s network, which is often done via social engineering. Other times hacking isn’t even necessary: just combing through public records or social networking sites can provide the data the criminals are looking for.
Then an email is created to look like it came from the organization, and sent out to potential victims. The “from” information in the email is faked, or “spoofed” to add legitimacy. Often the email has a link, and asks you to confirm your identity by logging in to the spoofed organization’s site. The goal is to get customer passwords and credit card or other information to misuse. When spear phishing is targeted to the inner workings of a business, the goal is often simply high-level access to their computer network. Once spear phishers have obtained high-level passwords, they can quickly do massive damage, such as destroy data or steal thousands of credit card numbers.
Avoid Phishing With These Tips
- Never click links in emails that request any personal or financial information. First, most companies will never ask you to do that. Second, the link is likely fake. Hover your cursor over the link for a moment, and a tooltip will pop up revealing the real address that clicking that link would open.
- Report spear phishing attempts to the company that’s being impersonated.
- Never reply to emails that request personal or financial information. To compromise computer data security, phishing attempts will play on your sense of responsibility, implying you are behind in a payment or that an order you placed needs attending to. If you need to check on something in the email to be sure, type the purported sender’s website address directly into your browser.
- Use a phishing filter in your browser if it has one.
Follow these simple steps and protect your computer’s data from unscrupulous hackers, phishers, and spear phishers. At their core, phishing and spear phishing are weaselly little tricks — weaselly tricks that no one has to fall for ever again. Do better than those West Point cadets in the study above, and don’t let the criminals get hold of your or your organization’s information.