NORMAN — By now, most of us have seen so-called “phishing” emails, designed by scammers to separate us from our money. These messages look legitimate, as if they are from bona fide companies trying to protect us, directing us to login and “verify” our online accounts. They are, of course, totally fake.
For the past few years, more sophisticated phishing email scams have appeared, called “spear phishing.” The word “spear” has been added because these bogus emails are much more targeted and focused in their approach, including personal details such as your name, the company your work for, and even your street address. In addition, they seem to come from someone you actually know. Spear phishing is proving to be a much more lucrative con than old-fashioned phishing.
Spear phishing’s success is in the details. Would a spear phishing attack fool you? Imagine your name is Bob Everyman and you work for Acme Widgets at 123 Main Street. You get an official-looking email from “John” in the Acme Widgets I.T. department that says, “Dear Bob Everyman. We have noticed increased spam activity on the company network, with spammers trying to access company email accounts. To end this problem, we are issuing new passwords for all email accounts.”
“Please reply to this message by sending us your current password and we will issue you a new alpha-numeric password for your email account. Thank you for helping enhance email security at Acme Widgets.” The message is signed by “John Jones, Acme Widgets I.T. Department” and includes the correct company address and phone number. Plus, the company logo is right there at the top of the message.
Would you do it? Would you send “John the I.T. guy” your password?
Computer security guru Bruce Schneier, quoted by the New York Times, describes the situation like this: “It’s a really nasty tactic because it’s so personalized. It’s an e-mail from your mother saying she needs your Social Security number for the will she’s doing. This is hacking the person, it’s not hacking the computer.”