Security At Home > E-Mail

What is spear phishing?

Help prevent identity theft from new, targeted phishing scams

Published: December 9, 2005
Help prevent identity theft from new, targeted phishing scams

You might have heard about phishing scams: fraudulent e-mail messages or fake Web sites designed to steal your identity. Scam artists "phish" in an attempt to persuade millions of people to disclose sensitive information. Now there's a new version of an old scam called "spear phishing," a targeted e-mail attack that a scammer sends only to people within a small group, such as a company. The e-mail message might appear to be genuine, but if you respond to it, you might put yourself and your employer at risk.

How standard phishing scams work

Phishers (scammers who perpetrate phishing scams) usually take a broad approach by sending millions of e-mail messages that appear to come from popular banks, online auction houses, and other businesses. These e-mail messages, pop-up windows, and the Web sites they link to appear official, so they can deceive many people to believe that they are legitimate. Unsuspecting people often respond to these requests for credit card numbers, passwords, account information, or other personal and financial data. According to the 2005 ConsumerReports State of the Net survey, phishing scams cost consumers an average of $395 per incident in the United States. For more information about standard phishing scams, see What is a phishing scam?

How spear phishing scams work

Spear phishing describes any highly targeted phishing attack. Spear phishers send e-mail that appears genuine to all the employees or members within a certain company, government agency, organization, or group. The message might look like it comes from your employer, or from a colleague who might send an e-mail message to everyone in the company (such as the person who manages the computer systems) and could include requests for user names or passwords.

The truth is that the e-mail sender information has been faked or "spoofed." Whereas traditional phishing scams are designed to steal information from individuals, spear phishing scams work to gain access to a company's entire computer system. If you respond with a user name or password, or if you click links or open attachments in a spear phishing e-mail, pop-up window, or Web site, you might become a victim of identity theft and you might put your employer or group at risk.

Spear phishing also describes scams that target people who use a certain product or Web site. Scam artists use any information they can to personalize a phishing scam to as specific a group as possible.

You can help avoid spear phishing scams by using some of the same techniques you already use to help avoid standard phishing scams.

5 tips to help you avoid spear phishing scams

Never reveal personal or financial information in a response to an e-mail request, no matter who appears to have sent it.

If you receive an e-mail message that appears suspicious, call the person or organization listed in the From line before you respond or open any attached files.

Never click links in an e-mail message that requests personal or financial information. Enter the Web address into your browser window instead.

Report any e-mail that you suspect might be a spear phishing campaign within your company.

Use the Microsoft Phishing Filter, which scans and helps identify suspicious Web sites, and provides up-to-the-hour updates and reports about known phishing sites. To learn more, go to How to get Microsoft Phishing Filter.

For additional information about how to deal with possible phishing scams, see The dos and don'ts of dealing with suspicious e-mail.


**
Related Links
Help prevent identity theft from phishing scams
Anti-phishing technologies
Video: What you should know about phishing identity-theft scams
Quiz: Phishing basics
**