How to avoid a spear-phishing attack. 4 tips to keep you safe from timeless scams
The hacker's message is urgent and aimed directly at you. We'll teach you how to keep from getting duped.
Laura HautalaFormer Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
ExpertiseE-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking.Credentials
2022 Eddie Award for a single article in consumer technology
Everyone has access to something a hacker wants. To get it, hackers might aim a targeted attack right at you. The goal might be stealing customer data that's useful for identity theft, your company's intellectual property or even your personal income data. The latter could help hackers steal your tax refund or file for unemployment benefits in your name.
Targeted attacks, also called spear-phishing, aim to trick you into handing over login credentials or downloading malicious software. That's what happened at Twitter in July, where the company says hackers targeted employees on their phones. Spear-phishing attacks also often take place over email. Hackers usually send targets an "urgent" message and include credible-sounding information specific to you, like something that could have come from your own tax return, social media account or credit card bill. These scams aim to override any red flags you might notice about the email with details that make the sender sound legitimate.
Despite corporate training and stern warnings to be careful who you give your password to, people do fall for these tricks. In addition to the Twitter fiasco, there was the release of Hillary Clinton campaign chair John Podesta's emails, including his technique for making risotto (hint: keep stirring!). Podesta reportedly entered his personal username and password into a fake form designed by hackers specifically to capture his credentials.
Another consequence of falling for a spear-phishing scam could be downloading malicious software, like ransomware. You could also be convinced to wire money to a cybercriminal's account. So how do you avoid falling for a spear-phishing scam? By taking these security habits to heart.
Know the basic signs of phishing scams
Phishing emails, texts and phone calls try to trick you into visiting a malicious website, handing over a password or downloading a file. This works in email attacks because people often spend the whole day at work clicking on links and downloading files as part of their jobs. Hackers know this and try to take advantage of your propensity to click without thinking.
So the No. 1 defense against phishing emails is to pause before clicking. First, check for signs the sender is who they claim to be:
Look at the "from" field. Is the person or business's name spelled correctly, and does the email address actually match the name of the sender? Or are there a bunch of random characters in the email address instead?
While we're at it, does the email address seem close, but a little off? E.g. Microsft.net, or Microsoft.co.
Hover your mouse over any links in the email to see the true URLs they will send you to. Do they look legitimate? Remember not to click!
Check the greeting. Does the sender address you by name? "Customer" or "Sir" would be red flags.
Read the email closely. Is it generally free from spelling errors or odd grammar?
Think about the tone of the message. Is it overly urgent or trying to get you to do something you normally wouldn't?
Don't fall for more advanced phishing emails that use these techniques
Even if an email passes the initial smell test outlined above, it could still be a trap. A spear-phishing email might include your name, use more polished language and seem specific to you. It's just plain harder to notice. Then there are targeted phone calls, in which someone calls you and tries to manipulate you into handing over information or visiting a malicious website.
Because spear-phishing scams can be so tricky, there's an extra layer of caution you should apply before acting on a request that comes over email or the phone. The most important of these extra steps: guard your password. Never follow a link from your email to a website and then enter your account password. Never give your password to anyone over the phone.
Banks, email providers and social media platforms often make it policy to never ask for your password in an email or phone call. Instead, you can go to the company's website in your browser and log in there. You can also dial back to the company's call customer service department to see if the request is legit. Most financial institutions, like your bank, will send secure messages through a separate inbox you can access only after you've logged onto the website.
Beat phishing by calling the sender
If someone sends you something "important" to download, asks you to reset your account passwords or requests that you send a money order from company accounts, call the sender of the message -- like your boss, your bank or other financial institution, or the IRS -- and make sure they really sent it to you.
If the request came by phone call, you can still pause and double check. For example, if someone says they're calling from your bank, you can tell the caller you're going to hang up and call back on the company's main customer service line.
A phishing message will often try to make the request seem incredibly urgent, so you might not feel inclined to add an extra step by calling the sender to double-check. For example, an email might say that your account has been compromised and you need to reset your password ASAP, or that your account will expire unless you act by the end of the day.
Don't panic. You're always in the right if you take a few extra minutes to verify a request that could cost you or your company financially, or damage your reputation.
Lock down your personal information
Someone who wants to spear-phish you has to get personal details about you to get started. Sometimes your profile and job title on a company website will be enough to tip off hackers that you're a valuable target for one reason or another.
But sometimes you're spilling information about yourself that can arm hackers. This is a good reason to set your social media accounts to private and not post every detail of your life on Twitter.
Finally, enable two-factor authentication on your work and personal accounts. It's a service that adds an extra step to the login process, and that means hackers need more than just your password to access sensitive accounts. That way, If you do hand over your credentials in a phishing attack, hackers won't have everything they need to log in and wreak havoc.