One of our clients received an email that gave him pause, and he forwarded it to us to check. And we’re glad he did, because we were able to tell him that it was a spear phishing attack and to delete it from his inbox and ignore any new emails that were similar in nature. Frankly, we were a little surprised to see that this email managed to make it past Microsoft’s fairly rigorous spam filters—particularly because the sender was pretending to be Microsoft! But for a moment, let’s back up and talk about phishing versus spear phishing.
Phishing Attacks
If you’ve ever received an email from Apple or Yahoo or Gmail or Chase that was full of misspellings or broken English, congratulations! You’ve almost certainly been phished. Bad actors send out thousands, if not millions of such emails every day. It only takes a few people clicking their malicious links for them to hit the jackpot.
Once you click their link, they hope they can persuade you to enter sensitive information such as your username and password, your credit card details, and maybe even your Social Security number.
Spear Phishing
Spear phishing is the same principle, but it’s done by someone targeting you specifically, especially at your place of employment. In this case, the attacker has gone to the trouble of becoming educated about your company, its org chart, and specific employees.
Spear phishing is how Hillary Clinton’s 2016 campaign was attacked, when hacker Fancy Bear sent John Podesta a spoofed email from Google that said someone was trying to use his password to access his Google account. When Podesta clicked the link in the email, he reached a fake Google webpage that was programmed to insert his name and email address onto the website for added authenticity. He typed his old password into the fake website, and voila, he gave his email password to Fancy Bear.
Protecting Yourself from Phishing or Spear Phishing
How can you tell the difference between a legitimate email and a phishing email? Well, as we mentioned above, misspellings and poor grammar are usually a good clue. If your phisher is a little more sophisticated, you might not be able to tell the difference visually. If you have any doubt whatsoever, it’s best to go directly to the authentic website and check what’s going on. For example, if you get an email that someone has tried to purchase something on eBay using your username, go straight to ebay.com and see if there are any weird notifications or recent purchases.
If you do click the link in the email, you’ve got to examine the URL of the link, in the event. If the email is from Apple, does the URL END in apple.com or microsoft.com or google.com, and so on? Using apple or microsoft somewhere else in the domain is not sufficient. Again: if your intuition tells you that something isn’t right, listen.
And we do have some bad news: sometimes you will be sent to the real website… but while you’re being redirected, a malicious script will start in the background and will hijack the cookies generated when you log in. If the security on the website you’re visiting is vulnerable, it could give the attacker access to data or functions that would normally be password-protected.
So, what to do beyond just being vigilant? We recommend using two-factor authentication wherever possible. We know it’s a pain, but it can prevent so much drama and heartache that it’s worth it. Link your phone number to your account, and find yourself much less vulnerable to phishing attacks.