Spear Phishing

You are probably already familiar with “phishing” attacks in which attackers send fake emails in an attempt to get sensitive personal information from you such as your credit card number, social security number, username and password, etc. These phishing messages are usually sent to large numbers of people and purport to be from organizations that you would generally trust, or may do business with, such as your bank, a shipping company, or even Emory. As people become more aware of these types of fraudulent messages, phishers have turned to more targeted techniques, known as “Spear Phishing” to specifically target individuals. 

What is Spear Phishing?

Spear phishing is when an attacker specifically tailors a message to an individual person in order to increase the likelihood that the victim will provide information back to the attacker, or to open an attachment or click on a link which may infect the victim’s computer and allow the attacker access to it. When crafting these spear phishing messages an attacker will research their target by visiting social networking sites, or even an institutional website about the individual. With this information they can craft an email that appears to be from someone the person trusts, or target the message so that it seems relevant to the victim. Usually these spear phishers have highly specific goals, such as stealing sensitive organizational data, intellectual property, intercepting communications, or gaining a foothold into the victim organization’s network so that they can carry out other attacks.

 Detecting Spear Phishing

Recognizing a spear phishing attack is not easy, but there are some general steps that you can take to protect yourself. The first thing to be aware of is that this type of attack exists and that anyone is potentially a target. In general:

       Be cautious any time an email asks you to open an attachment or click on a link, even it that message appears to be from someone you know. If you have any doubts contact the sender using contact information that you already have to verify the message’s authenticity. In most e-mail programs you can hover over the link in the message to verify that you’re being sent to a legitimate URL, and not a fake one (move your mouse pointer over the link and a small window with the actual link destination will appear). For example, http://it.emory.edu/security is a valid link on Emory’s website, but http://it.emory.edu.badguys.com/security would not be.

       Limit the amount of personal information that you post on social networking sites, or even on Emory websites. 

       Spear phishing is harder to automatically detect and block. If you believe that you’ve received a spear phishing message, or may have fallen for one, please contact your local IT support immediately, or contact the University or Healthcare service desks. 

For additional information on phishing, please visit: http://it.emory.edu/security/security_awareness/phishing.html