You get an email from your financial institution, ABC Inc, and it has a request you click on a link to confirm a recent financial transaction. They have all the details right—you do bank with ABC, and you did complete a recent financial transaction. They’ve got your name and number correct in the email and it appears to be coming from a customer service agent you’ve worked with in the past. Must be legit right?

Not necessarily.

While it could be legit, it could also be a kind of cyberattack called Spear Phishing.

Phishing vs Spear Phishing: Making you a target

Phishing is the fraudulent practice of sending emails or other messages pretending to be from reputable companies in order to convince people to reveal personal information like passwords and credit card numbers. Most phishing consists of mass emails sent to thousands of recipients in hopes of inducing a few to make a mistake.

In some cases, however, the attack is much more targeted. The fraudster has gathered actual, true and personalized details about their targets to make their phishing email more realistic and convincing. This kind of cyberattack is called Spear Phishing.

Spear Phishing examples

A common example is the email from your CEO asking you to urgently review an attachment or link. Beware though, the fraudster could have gotten your CEO’s name from your corporate website or from LinkedIn

In the example involving ABC Inc., the fraudster may have just made a lucky guess you bank with ABC—or they might have gotten that detail from last week on your social media feed where you complained about long lines at your bank. Likewise, they might have gotten the customer service agent’s name from a website or even by visiting the branch.

Spear phishing targets may be a specific individual, or a group of people that have something in common, like working at the same organization. They also tend to be what are called ‘high-value’ targets. Because spear phishing requires active effort on the part of the fraudster to gather the right data to fool you, they tend to focus on individuals or groups they consider worth the effort—either because the potential payoff is significant, and/or the quality of information they have to use gives them a high chance of success.

Unfortunately, this focus on high-value targets isn’t a hard rule. Generative AI tools have the potential to make personalized data gathering easier for fraudster, and so it pays to be vigilant no matter who you are.

Spotting Spear Phishing

The idea that you can’t even trust legitimate-looking emails and other communications can feel oppressive. But there are some tell-tale signs you can look for to spot a spear phishing attempt:

• The request is unusual. Does your CEO often ask you to urgently review an attachment or ask you to purchase a gift card? Does your financial institution typically send you a link asking you to login or share personal information?
• The request is unexpected. A legitimate occasion for you to receive an email with a login link is right after you’ve performed a password reset request. But that’ll happen within minutes or even seconds of you submitting the request. If a request like this comes out of the blue, be suspicious.

• The request is urgent. As with ordinary phishing attempts, spear phishing communications tend to contain an element of urgency—you MUST do this now or else! Fraudsters are hoping that the need to act urgently will trigger you into making a mistake and not double-checking the email’s legitimacy.

Protecting yourself from Spear Phishing

1. Check the links: Hover over the website or email link (don’t click it) and look at the address. Does the email address match that of the purported sender?  Does the website link look strange or unfamiliar? Watch for slight misspellings or odd characters in a domain.
2. Verify before taking action: Be extra cautious whenever you’re being asked to enter sensitive information like account credentials, or open a strange attachment. Find another way to verify the information. For example, you could reach out directly to the person or organization by phone to verify whether they sent it and requested the information being asked for.
3. Be careful sharing too much on social media: Social media is a great way to stay connected with friends and family. But be cautious how much you share too publicly—it could be used against you.
4. Use multifactor authentication: Multifactor authentication (MFA) can protect your accounts even when your password has been compromised. However, know that fraudsters will also try and get you to give up your MFA one-time passcode. Typically, you should never give these codes to anyone else, even someone who says they’re from customer or IT support. In most cases, a real customer or IT support person shouldn’t need your code to access an account.
5. Get educated and stay up to date: Most organizations today offer or require cybersecurity training. Keep up to date with your training and read up on the latest trends.
6. If you are unsure that the request is legitimate, you should reach out to the originator of request via a trusted channel such as an email address you used in the past, a phone number you can trust, etc.