How to avoid a spear-phishing attack. 4 tips to keep you safe from timeless scams

The hacker's message is urgent and aimed directly at you. We'll teach you how to keep from getting duped.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
5 min read

Don't give cybercriminals access to your accounts by accident.

Angela Lang/CNET

Everyone has access to something a hacker wants. To get it, hackers might aim a targeted attack right at you. The goal might be stealing customer data that's useful for identity theft, your company's intellectual property or even your personal income data. The latter could help hackers steal your tax refund or file for unemployment benefits in your name.

Targeted attacks, also called spear-phishing, aim to trick you into handing over login credentials or downloading malicious software. That's what happened at Twitter in July, where the company says hackers targeted employees on their phones. Spear-phishing attacks also often take place over email. Hackers usually send targets an "urgent" message and include credible-sounding information specific to you, like something that could have come from your own tax return, social media account or credit card bill. These scams aim to override any red flags you might notice about the email with details that make the sender sound legitimate.

Bitcoin scam tweet on Joe Biden's hacked Twitter account

When Twitter employees fell for a spear-phishing trick, Democratic presidential candidate Joe Biden's Twitter account was compromised and pushed a cryptocurrency scam. CNET has blocked out the address that hackers included in the tweet.

Screenshot by Queenie Wong/CNET

Despite corporate training and stern warnings to be careful who you give your password to, people do fall for these tricks. In addition to the Twitter fiasco, there was the release of Hillary Clinton campaign chair John Podesta's emails, including his technique for making risotto (hint: keep stirring!). Podesta reportedly entered his personal username and password into a fake form designed by hackers specifically to capture his credentials.

Another consequence of falling for a spear-phishing scam could be downloading malicious software, like ransomware. You could also be convinced to wire money to a cybercriminal's account. So how do you avoid falling for a spear-phishing scam? By taking these security habits to heart.

Know the basic signs of phishing scams

Phishing emails, texts and phone calls try to trick you into visiting a malicious website, handing over a password or downloading a file. This works in email attacks because people often spend the whole day at work clicking on links and downloading files as part of their jobs. Hackers know this and try to take advantage of your propensity to click without thinking.

So the No. 1 defense against phishing emails is to pause before clicking. First, check for signs the sender is who they claim to be:

  • Look at the "from" field. Is the person or business's name spelled correctly, and does the email address actually match the name of the sender? Or are there a bunch of random characters in the email address instead?
  • While we're at it, does the email address seem close, but a little off? E.g. Microsft.net, or Microsoft.co.
  • Hover your mouse over any links in the email to see the true URLs they will send you to. Do they look legitimate? Remember not to click!
  • Check the greeting. Does the sender address you by name? "Customer" or "Sir" would be red flags.
  • Read the email closely. Is it generally free from spelling errors or odd grammar?
  • Think about the tone of the message. Is it overly urgent or trying to get you to do something you normally wouldn't?

Don't fall for more advanced phishing emails that use these techniques

Even if an email passes the initial smell test outlined above, it could still be a trap. A spear-phishing email might include your name, use more polished language and seem specific to you. It's just plain harder to notice. Then there are targeted phone calls, in which someone calls you and tries to manipulate you into handing over information or visiting a malicious website.

Because spear-phishing scams can be so tricky, there's an extra layer of caution you should apply before acting on a request that comes over email or the phone. The most important of these extra steps: guard your password. Never follow a link from your email to a website and then enter your account password. Never give your password to anyone over the phone.

Banks, email providers and social media platforms often make it policy to never ask for your password in an email or phone call. Instead, you can go to the company's website in your browser and log in there. You can also dial back to the company's call customer service department to see if the request is legit. Most financial institutions, like your bank, will send secure messages through a separate inbox you can access only after you've logged onto the website.

Beat phishing by calling the sender

If someone sends you something "important" to download, asks you to reset your account passwords or requests that you send a money order from company accounts, call the sender of the message -- like your boss, your bank or other financial institution, or the IRS -- and make sure they really sent it to you.

If the request came by phone call, you can still pause and double check. For example, if someone says they're calling from your bank, you can tell the caller you're going to hang up and call back on the company's main customer service line.

A phishing message will often try to make the request seem incredibly urgent, so you might not feel inclined to add an extra step by calling the sender to double-check. For example, an email might say that your account has been compromised and you need to reset your password ASAP, or that your account will expire unless you act by the end of the day.

Don't panic. You're always in the right if you take a few extra minutes to verify a request that could cost you or your company financially, or damage your reputation.

Lock down your personal information

Someone who wants to spear-phish you has to get personal details about you to get started. Sometimes your profile and job title on a company website will be enough to tip off hackers that you're a valuable target for one reason or another. 

Other times, hackers can use information they find about you in data breaches. There's not much you can do about either of those things.

But sometimes you're spilling information about yourself that can arm hackers. This is a good reason to set your social media accounts to private and not post every detail of your life on Twitter.

Finally, enable two-factor authentication on your work and personal accounts. It's a service that adds an extra step to the login process, and that means hackers need more than just your password to access sensitive accounts. That way, If you do hand over your credentials in a phishing attack, hackers won't have everything they need to log in and wreak havoc.

Follow these steps and you'll be prepared to avoid the pain of getting spear-phished. These tips are also good for avoiding coronavirus scams as well as tax scams. While you're learning how to stop hackers from making your life harder, you can also avoid getting malware on your Android phone and keep it safe even if it's refurbished.