Skip to main content
Santa Clara University
Information Services
Information Security

Blog Posts

  1. Home
  2. Information Services
  3. Information Security Office
  4. Blog: Tips and Advice
  5. Blog Posts
  6. Spearphishing
fishing pole with a key of username and password

fishing pole with a key of username and password

Spearphishing

A different kind of fishing

Diane Hoang
Emails are a great way to communicate with someone. However, be wary of messages, especially from people you don't know, that asks you for personal information or tells you to click on a link. You never know when someone is fishing for your information. Learn more here.

Have you ever gotten an email from someone you didn't know? Asked to provide your personal information? Clicked on links that seemed shady? If you answered yes to any of these questions, then you may have come across a PHISHING MESSAGE!

"But wait! Why is it called phishing?"

"Because it sounds like fishing! Get it? Fishing for information?"

"..."

"Why aren't you laughing?"

"..."

"Okay, okay. No more jokes. I promise."

 

WHAT IS PHISHING?

Phishing is when someone—claiming to be a legitimate company or person—sends a message to millions of users in an attempt to acquire personal and/or sensitive information (e.g. usernames, passwords, SSN, credit card data) that can then be used for malicious deeds.

A typical phish message—the most common form is in email format—will direct the user to a website (usually with a link) where they are then asked to update sensitive personal information that the legitimate company or person already has. However, the website is fake; any information the user enters in will be stolen.

ALWAYS remember: a legitimate organization (e.g. your bank) will NEVER ask for your personal information, especially over the Internet.

For more information on phishing, please visit our phishing guide here. 

For examples of phishing messages, please visit the phishing example blog here.

Now that we know what phishing is, let's talk about a different twist on phishing attacks: spear phishing!

 

WHAT IS SPEAR PHISHING?

Spear phishing targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.

Unlike phishing messages, spear phishing messages target groups of people with something in common—they work at the same company, they use the same bank, attend the same college, order merchandise from the same website, etc. The emails are often sent from organizations or individuals the potential victims would normally get emails from, generally from someone in a position of authority, making them even more deceptive.

 

FAMILARITY IS KEY 

A spear phisher knows your name, your email address, and some information about you. The email is most likely personalized, addressing you by name rather than "Dear Sir/Ma'am". Other things that the email might contain are:

  1. reference to a "mutal friend" or someone you know
  2. reference to your workplace, bank, school, etc.
  3. mention of a recent online purchase you've made
  4. a link that asks for your personal information
  5. an request for you to take some "urgent action"

Because the email seems to come from somone you know, you may become more trusting and give them the information they ask for, especially if it's from a company you know asking you to take urgent action (i.e. update your bank information or lose access).

 

HOW SPEAR PHISHING WORKS:

  1. First, criminals need to gain their targets’ trust by finding inside information about their targets. They often obtain it by hacking into an organization’s computer network or by looking through your websites, blogs, and social networking sites. Essentially, they stalk you!!
  2. After gathering enough data to convince their targets that the emails are legitimate, they send out messages that look real to targeted victims about urgent emails concerning your personal data.
  3. Finally, the victims are asked to click on a link that takes them to a fake website where they are asked to provide their personal information.

 

WHEN CRIMINALS GET YOUR PERSONAL INFORMATION:

They can gain access to your bank account, use your credit cards, steal you identity, and do other malicious deeds.

Criminals may also trick you into downloading malicious codes/malware after you click on a link. This is really useful in crimes, such as espionage, where sensitive internal communications (i.e. emails) can be accessed and trade secrets stolen. Malware can also hijack your computer, where it can then be connected with other hacked computers to create large networks called botnets that can be used for denial of service attacks.

 

HOW TO AVOID BECOMING A SPEAR PHISHING VICTIM?

  1. Keep in mind that most companies, banks, agencies, etc., do NOT request personal information via email.
    1. If in doubt, give them a call or visit them in person to inquire about the email.
  2. Use a phishing filter. Many of the latest web browsers and email clients have them built in or offer them as plug-ins.
    1. You can also report phish messages in most email clients, such as Yahoo Mail! or Gmail.
  3. Never follow a link to a secure site from an email—always enter the URL manually.
  4. Be careful about posting personal information online. (In this case, sharing is NOT caring!)
  5. Think before you click.
  6. If it seems fishy, it probably is.

 

SOME TIPS TO PROTECT YOUR INFORMATION!

  1. Keep your information safe. Think before you post anything revealing online. 
  2. Use strong passwords* that uses a combination of letters, numbers, and symbols. 
  3. Never use the same password for multiple accounts.
  4. Always install the latest patches, updates, and security software.
  5. AND REMEMBER:  Don't give up too much personal information online because you never know who might be lurking about. 

 *for more information about strong passwords, please click here or here.

 

Feb 1, 2016
Technology
phishing, spear phishing, infosec, information security, phish messages, passwords, online presence