Tips to avoid spear-phishing

Don’t fall victim to spear-phishing

When CNN reported that a “prankster” in the UK had managed to spear-phish White House officials, we wanted to share few thoughts about online security, spear-phishing and avoiding the sharp end of that awful spear.

Spear-phishing is tricky

“Phishing” is a broad term for when a malicious actor impersonates a legitimate one in order to trick you into giving up sensitive information such as passwords, account details or credit card numbers. It generally casts a wide net.

Spear phishing” is more targeted, hence the name, and uses personal details to trick you. It’s more sophisticated, and, unfortunately, research shows that it works.

Reviewing the White House email messages posted online reveals the sender used details about previous meetings and conversations to make themselves sound legit, and it worked. In this case, this information could have been culled from media coverage.

The rest of us who aren’t in the public eye still need to be sharp. We share personal information on social media accounts, professional networking sites, blogs, comments and so on. Clever perpetrators can use this seemingly innocuous information to their advantage.

Verify before sharing personal information

This can’t be overstated. Today, more and more of our sensitive information is stored online, and we all need to do our part to thwart attackers and protect ourselves. Protecting our logins is critical. It’s up to all of us to look out for scam websites and suspicious links.

If there’s something “phishy” about a message, try confirming through another method like a phone call, text or asking in person. Though he didn’t share his password or other highly secure information, Homeland Security Adviser Tom Bossert did pass along his personal email, unsolicited, because he trusted the message despite it being flagged by his email system. This brings us to our next thought.

When your email system flags a message as suspicious, you should…be suspicious

It stands out that at least one of the fake messages arrived flagged as [SUSPECTED_SPAM] by Bossert’s email service. That should be an immediate red flag to double-check where the mail came from before trusting it.

“Sometimes there are false positives, but it’s worth having an IT person check it if you don’t know how to do it yourself,” said Dave Miller, Mozilla Network Administrator. “This is especially true when a message gets spam-tagged, and it’s seemingly an ‘in-company’ mail, from someone in the same organization as you.”

Avoid the hook

Whether or not you’re being “pranked” or phished, if someone is provoking you over email, it’s best not to take the bait. Don’t respond to spear-phishing efforts. Mark the message as spam, forward it to your IT department or your email provider and move on.

6 comments on “Don’t fall victim to spear-phishing”

  1. Sourdif Pierre wrote on

    Internet Health: Not a Partisan Issue

  2. Fred wrote on

    this morning I received about 100 junk emails .is there any way to stop them?

    1. Craig – Bothell wrote on

      Fred – “this morning I received about 100 junk emails .is there any way to stop them?”

      Short answer; SpamCop.net and knujon.net (“No Junk” spelled backwards)

      I use Thunderbird and after exhausting what I could do with the built-in “Junk” filter I added an extension called Habul to automate reporting of SPAM to SpamCop.org and Knujon.net. It was difficult to setup and automate, but my SPAM level after the first month of reporting dropped from 350-500/day to 10-20/day. I still review carefully everything I report to make sure it is legitimate SPAM to avoid false reporting. Sometimes what gets caught isn’t SPAM and shouldn’t be reported. There isn’t a “totally” automated way to do this. Welcome to the war.

    2. Guido Re wrote on

      I’m using Firebird and I’m very careful not to open incoming mails which resemble legit but sometimes aren’t. A few of them come from people from known contacts of mine. If I occasionally ask them by phone, they declare not to have sent me any mail. I wonder how it is possible a joker/spammer extracts a name from my address book in order to cheat me? Thanks for answering.

  3. James Wilson wrote on

    Today after Isorted through my inbox placing important emails into relevant folders, I opened my spam box tp filter out Junk, one message contained a serious warning (your inbox is full) (open here to find out why. Needles to say I did not bite the bullet that could kill me.
    I have tried to use the more options on yahoo, “Block spam” it does not work, every hour I get more and within 1 hr my spam box is full again ? suggestions please.

  4. Matt wrote on

    I’ve had a few of those phishing messages saying my account had reached it’s storage limit.
    They said to click the link to enable more space.And another spammer requesting verification of my account or it would stop sending & receiving messages.Of course I never took the bait & in fact I got
    them caught by looking at the full headers then reporting them to the relevant domains & networks.Most domains & networks have an abuse address to report spam to,FTC also has an address to report spam.