How They Do It: Spearphishing Scammers at Work
Five Warning Signs You're about to Get Hooked
Welcome to "How They Do It," a monthly feature on the IDShield blog. Our goal is to provide you with glimpses into the hidden world of hackers. You'll learn the many ways they operate so you can guard your identity and your assets.
How's your firewall? Got those spam filters engaged? An alarming percentage of individuals still fall for spearphishing attacks – either at home or work – even with spam prevention in place. Unfortunately, these numbers are on the rise. Coronavirus-themed attacks have become prevalent, but others are run-of-the-mill plans tapping into age-old themes like lost friends or desperate relatives. Learn all you can to understand how these would-be thieves bait their hooks.
Like many scams, phishing is on the rise. Some researchers peg the success rate at well over 10%. Others predict it's over 30%--a genuinely frightening number. One recent report indicates that more than one in five data breaches also begins with one of these successful lures.
In all, three different contact paths deliver the bait. Phone calls (vishing), texts (smishing), and emails (the original group attacks) each can be immensely powerful. One approach has risen to the top of the heap in effectiveness and it’s the toughest to prevent.
What is Spearphishing?
Spearphishers have proved so successful that they've become all too common. Unlike phishing, which launches waves of emails or texts to solicit clicks, spear targeting aims at a finely selected individual instead. It seeks to establish an emotional connection with the victim. It's all designed to prompt you to click on bogus links. Goals vary, but some successful attacks distribute malware while others seek personal data. Scammers are adept at mimicking the appearance of a legitimate company's website.
All the big banks, including Wells Fargo, Chase and U.S. Bank, are targets because the odds are good that you’re a customer at one of them. Phishing emails can convincingly duplicate a bank's home page in the hope that they'll trick you into logging in.
Many times, scammers craft their communication to resemble a bank alert stating a compromise occurred with your account. An actual attack on your balance will begin immediately if you bite this hook and enter your login credentials.
Spearphishing Betters the Odds
Spearphishing is the evolved sibling of phishing and it’s rapidly surpassing the original concept in efficacy. Spearphishing – picture a spear gun in your mind – aims at a much smaller target. Instead of phishing attempts sent to thousands in bulk attempts, this method singles out one person or just a handful. Some experts state that one in three goes to a solo recipient. When it works, experts estimate the average spearphishing loss exceeds $1.5 million!!!
How would you react to emails that appear to be from the company finance director, your CEO or a colleague? What about a text from a CEO impersonator claiming she lost her wallet and needs $2500 wired to her ASAP?
These requests strongly resemble legit corporate communications. Spearphishing is wildly successful because it is so personalized. The more specific the data, the greater the odds of click-through. So how do scammers gather the details?
First, hackers have mastered social engineering – the art of gleaning critical information on potential victims. They might search social media, speak to neighbors or look up your property records online. Personal details – name, address, recent awards and more – are harvested from these sources and corporate web pages, then sprinkled into texts and emails to boost the sender's credibility. You're far more susceptible if the interaction utilizes data familiar to you.
Corporate financial offices and human resource departments are top spearphishing targets. Each spring, scammers target these offices sending what appears to be a CEO request for all employee W-2 tax forms. The result is bogus income tax returns that can grab legit refund checks.
Top 5 Warning Indicators
Don't be the employee who's duped into wiring company money to a scammer. Don't surrender your login credentials without a fight. Look for these top 5 indicators which indicate a scam in progress.
- Unexpected communications addressed to you personally from a lender, bank, or any other business.
- Urgent monetary need due to a lost airplane ticket or wallet is a big red flag.
- Any and all requests to wire money ASAP are suspicious, as are sudden changes in email from a firm that bills your company regularly.
- Contact from an organization you don't communicate with routinely.
- Odd email addresses that display when you hover your cursor over them.
Look at some wacky examples we detected recently. Emails from @fatherslap.co.uk, @casinomator.com, one claiming to be from Apple sent by @esadboy.com and @e-startupindia.com were easy ones to reveal. But the fraud isn’t always this obvious. Some blend a famous corporate name into documents and the result is something such as @e.chase.service.com. These require more investigation.
Con artists also impersonate IRS, Social Security Administration, non-profit groups, Homeland Security and Dept. of Health and Human Services officials in spearphishing. Most of these government websites and financial agencies feature links on their homepages to share any questionable emails with officials. You can also alert the Better Business Bureau in your area and AARP's scam division.
- Ask a friend, coworker or relative to check strange email with you. Phishing buddies are the best kind!
- Don't click links you don't recognize.
- View any emails from unknown sources as suspicious. Hover the computer mouse cursor over each and every embedded link to see where they'll take you. This is vital. Haste is the enemy so take your time.
One final thought. Most of the personally identifiable data spearphishers need for success is information you should protect and monitor frequently. IDShield searches for leaked data routinely and offers alerts to tip you off when stray information turns up that could cause harm if misused.
IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage, and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.
Let IDShield Help Protect Your Data Today.