Tech Tip Tuesday: What is Spear-Phishing and How Can I Protect Myself From an Attack?

image of spear phish

As of late, Phishing has become a very well-known word in the English vocabulary.  It is a scam email sent too many email accounts to trick the recipients to click on a link or download an attachment and by doing so the recipient will submit personal information or infect the computer or the network so the hackers have access to it and they will perform their nefarious acts.   

Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons. This is achieved by conducting surveillance and acquiring personal details on the victim such as their friends, hometown, employer, locations they frequent, and what they have recently bought online. The attackers then disguise themselves as a trustworthy friend or employee or entity to acquire sensitive information, typically through email or other online messaging. This is the most successful form of acquiring confidential information on the internet, accounting for 91% of attacks.  

The act of Spear-Phishing many sound simple, but these emails have improved within the past few years and are now extremely difficult to detect without prior know pertaining to them. Spear-Phishing attackers target victims who put personal information on the internet. They might view individual profiles while scanning a social networking site. From a profile, they will be able to find a person’s email address, friends list, geographic location and any posts about new gadgets that were recently purchased. With all of this information, the attacker would be able to act as a friend or a familiar entity and send a convincing but fraudulent message to their target.

To increase success rates, these messages often contain urgent explanations on why they need sensitive information. Victims are asked to open a malicious attachment or click on a link that takes them to a spoofed website where they are asked to provide passwords, account numbers, PINs, and access codes. An attacker posing as a friend might ask for usernames and passwords for various websites, such as Facebook, so that they would be able to access posted photos. In reality, the attackers will use that password, or variations of it, to access different websites that have confidential information such as credit card details or Social Security Numbers. Once criminals have gathered enough sensitive information, they can access bank accounts or even create a new identity using their victim’s information. Spear-phishing can also trick people into downloading malware or malicious codes after people click on links or open attachments provided in messages.

7 Tips to Avoid a Spear-Phishing Attack:

  • Watch what personal information you post on the internet: Look at your online profiles. How much personal information is available for potential attackers to view? If there is anything that you do not want a potential scammer to see, do not post it – or at the very minimum make sure that you’ve configured privacy settings to limit what others can see.
  • Have smart passwords: Do not just use one password or variations of passwords for every account that you own. Reusing passwords or password variations means that if an attacker has access to one of your passwords, they effectively have access to all of your accounts. Every password that you have should be different from the rest – passwords with random phrases, numbers, and letters are the most secure.
  • Frequently update your software: If your software provider notifies you that there is a new update, do it right away. The majority of software systems include security software updates that should help to protect you from common attacks. Where possible, enable automatic software updates.
  • Do not click links in emails: If an organization, such as your bank, sends you a link, launch your browser and go directly to the bank’s site instead of clicking on the link itself. You can also check the destination of a link by hovering your mouse over it. If the URL does not match the link’s anchor text or the email’s stated destination, there is a good chance that it could be malicious. Many spear-phishing attackers will try to obfuscate link destinations by using anchor text that looks like a legitimate URL.
  • Use logic when opening emails: If you get an email from a “friend” asking for personal information including your password, carefully check to see if their email address is one that you have seen them use in the past. Real businesses will not send you an email asking for your username or password. Your best bet would be to contact that “friend” or business outside of email, or visit the business’ official website to see if they were the party who actually contacted you.
  • Use two factor authentication: If you use office 365 this is a free feature that sends you a code if someone tries to create an email account with your user name and passwords.  
  • Implement a data protection program at your organization: A data protection program that combines user education around data security best practices and implementation of a data protection solution will help to prevent data loss due to spear-phishing attacks. Microsoft office 365 offers Advanced Threat Protection Plans that screens all emails to find malicious contents before delivering them to the recipient. 

By implementing these tips into your regular agenda, you will be able to steer yourself clear of these heinous attacks on your personal information. For more tips or for any questions you may have, please feel free to contact us at CEO Computers at: 818-501-2281 or info@ceocomputers.com.

In our next column, we’ll discuss: Email and the Dark Web. **Tech Tip Tuesday is a Bi-Monthly column that focuses on customer based questions that are frequently asked or of interest.If you have a question that you would like to be featured, send us an email to: info@ceocomputers.com**

Posted in IT Blog