Spear Phishing

Graphic in shades of blue of open laptop computer with a fishing spear coming out of the screen

What is Spear Phishing?

Ordinary phishing

We’ve all received phishing emails that pretend they are from trusted sources such as banks. They want us to hand over information that will let them steal money from us. They are “phishing” for information that will allow them to steal from us.

To begin with, such email scams were a bit of a joke. The spelling, grammar, and use of English were generally poor. Over the years they’ve become a lot more realistic and can be almost indistinguishable from the real thing.

However, most of them share a big flaw in that they are not personally addressed to the recipient. Anyone asking you for personal information or money in an email that begins with “Dear Valued Customer” is almost certainly a fraud. Just delete it, or, if any doubt remains, contact the person it purports to come from. Don’t “reply” to the email and don’t phone a number given in the same email.

But what if you receive an email (asking for money) that you are expecting?

Suppose you’ve just spent £5,000 on a conservatory and you receive an email with an invoice asking you to pay the money into a specific bank account. This is a perfectly normal way of doing business. The email appears to come from the supplier and nothing at all appears to be suspicious in either the email or in the attached invoice.

This could be an example of spear phishing

A traditional fishing spear with ornately carved handle lies along a pebble-strewn river bankInstead of sending gerzillions of scam emails (phishing), the bad guy is homing in on a particular individual. He/she has some information about that individual that may allay that individual’s suspicions about the veracity of the email. Obviously, it’s called “spear phishing” because it’s a much more targeted attack than an email sent to hundreds or thousands of people.

In this instance, what may have happened is that a cybercriminal has hacked either the supplier’s or purchaser’s email. They then watch the correspondence between the two. So, if you are the recipient, he KNOWS who you are, what you bought, where from, when, for how much, and so on.

He just has to pick the right moment to ask you to pay money into his own bank account. Ker-ching!

A variation of spear phishing

A variation is that a cybercriminal hacks into a database containing an organisation’s customers’ names, email addresses, purchasing history, postal addresses, etcetera, and then uses that information to send a spurious invoice to a specific person. This is even more likely to succeed if the person reading the email and paying the bills is not the person who would have ordered the goods or services and just accepts that payment is being requested for a routine transaction.

Another danger, of course, is that a URL (web page) supposedly pointing to an online invoice could be a link that downloads malware or ransomware.

As you can see,  there are lots of ways that scammers can lull you into a false sense of security. They quote information in emails that is personal to you, timely, and seemingly accurate.

What you should do and should not do

A fisherman (without breathing apparatus) is swimming in shallow water. He is carrying a fishing spear.So, what do you do (and not do) if an email asking you for information or money arouses your suspicions, but you don’t feel you can just dismiss it immediately?

  • Do not open any attachment in the suspicious email.
  • Do not click on any link in the email.
  • Look at the sender’s email address (not the name that usually goes with it).  Check whether this is the usual address for that person/organisation.
  • Contact the purported sender, but NOT by replying to the suspicious email.
  • Do not use the sender’s phone number or any other contact details from the suspicious email. Find the contact details from a previous email, contacts, or phone history.

For a more complete explanation of spear phishing, see this article from Malwarebytes  or this one from IBM.

This blog post is also relevant – Variation on a theme of an email scam

By the way, if you ever suspect that an email message with an invoice sent by me to you is not genuine, then just phone or text me on 07961 387564. I NEVER send invoices to clients that they are not expecting.


Post icon (featured image) and other images designed by David Leonard with Microsoft Designer