What is spear phishing?
Spear phishing is an email scam that appears to be from a trustworthy source. Attacks are attempts to steal sensitive information like login credentials or financial information or contain an attachment with malware. Spear phishing attacks generally target a specific victim or organization and are very personalized to avoid detection. Because these attacks are customized to specifically address a certain person, they are often very believable and therefore successful.
How does a spear phishing attack work?
- Spear phishing attackers identify and target victims who put personal information on the internet. They search for as much personal information on an individual and/or organization online as they can.
- Attackers then contact the victim, often as a friend or family member, and send a convincing message. These messages usually ask for sensitive information like login credentials or ask the victim to open an attachment (that contains malware) and are often “urgent.”
- Once attackers have gathered the information that they need, they will use the victim’s information to access accounts and sometimes even steal their identity.
How can you avoid a spear phishing attack?
- Be careful what you post online. Post as little personal information as possible and make sure your privacy settings are configured to limit what information other people can see.
- Use secure passwords and don’t use the same password on several accounts. Secure passwords contain numbers, letters, other characters and phrases. Using the same password or a variation of the same password on several accounts makes it so much easier for an attacker to gain access to all of them.
- Install updates regularly. Updates include security patches that can help you to avoid gaps in protection and lessen your risk of an attack.
- Carefully read all aspects of an email. Be sure to check the from email address and ensure it is from the person it says it’s from, and always check for spelling and grammar errors.
- Never send sensitive information via email. Don’t send usernames, passwords, bank account information, social security numbers, etc. via email.
- Always double check links before clicking on them. Hover over links in emails before you click on them to make sure they are a valid link and go to where they say they do.
- Encrypt sensitive information. Passwords, security questions, internet activity, and files should all be encrypted.
- Implement multi-factor authentication. MFA makes it harder for attackers to compromise your systems because it requires two pieces of identification like a login and a random generated code.
Using these tips along with the right training, tools and security team - you and your organization can avoid a spear phishing attack.
