Spear Phishing

Download this PDF - View all Publications

In the “Land of 10,000 Lakes,” everybody knows what “fishing” is, and many people are also familiar with “phishing” scams. “Phishing” occurs when a criminal sends an email impersonating a financial institution, government agency, or reputable company and asks the recipient to verify his or her personal or financial information. Today’s scam artists have now turned to a more sophisticated, targeted, and profitable version of the scam, known as “spear phishing.”

History of “Spear Phishing”

Phishing scams have existed in one form or another since the late 1980s. Decades after the scam first appeared, people are more suspicious of questionable emails from unknown senders. Spam filters often help prevent these emails from ever reaching the intended recipient’s inbox. As a result, scammers are increasingly targeting people and businesses with spear phishing scams. While “phishing” emails may be sent to thousands of people, “spear phishing” emails are much more selective.

It Happens Like This

“Chris” received an email that appeared to come from his company’s human resources department. The representative asked Chris to send information from his W-2 form to her for tax purposes. Chris noticed that the tone of the email was different from other emails he had received from the human resources department and thought it was strange that the representative did not already have his W-2 information. He called the representative directly to ask about the email. When she told him she did not send the email, Chris looked more closely at the sender’s email address and realized that it differed slightly from his company’s email format. Chris reported the email to the company’s computer specialist and the criminal authorities.

How It Works

Spear phishing occurs when a scammer poses as a company representative, often an executive or human resources representative. The scammer sends an email to an employee at the company, often from a hacked or “spoofed” email address or an address that closely resembles the company’s email format. For example, if a company’s email format is user@321company.com, a scammer might use user@321company.net, or user@321compny.com.

Sometimes the scam artist asks employees to provide personal information, such as Social Security numbers, tax documents, or account passwords. Other times, the scam artist asks the employee to send a wire transfer to another person or deposit a certain amount of money into an outside bank account. The scammer often creates a sense of urgency so that the employee will send the requested information or money before he or she has time to verify the legitimacy of the request.

Spear phishing is often more profitable than a basic phishing scam. First, scammers research a company to convincingly impersonate the target’s boss or co-worker. People are more likely to be victimized because the email appears to come from a trusted source. Second, spear phishers may use the information they obtain to steal the identities of every employee at a business and file thousands of fake tax returns. By filing fake tax returns or selling private information to other criminals, spear phishers can make a lot of money very quickly, even if only one person falls for the scam.

Protect Yourself from Spear Phishing Attacks

The use of spear phishing attacks to steal personal information and money remains a widespread problem. There are several steps you can take to help protect yourself—and your co-workers—from spear phishing attacks, including:

Reporting Spear Phishing Attacks

You may report Internet fraud to the Federal Bureau of Investigation’s Internet Crime Complaint Center online at www.ic3.govexternal link icon or to the following agencies:

Federal Bureau of Investigation
Minneapolis Office
1501 Freeway Boulevard
Brooklyn Center, MN 55430
(763) 569-8000
www.fbi.gov external link icon

Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue NW
Washington, DC 20580
(877) 382-4357
TTY: (866) 653-4261
www.reportfraud.ftc.gov external link icon

Related Posts:

Guarding Your Privacy

Identity theft is on the rise nationwide and is helped along by lenders and creditors who are willing to grant thousands of dollars in credit in mere minutes with little or no proof of identity. This booklet will help you guard your privacy, protect your personal information and avoid identity fraud.

Protect Yourself from Identity Theft

The Federal Trade Commission estimates that over eight million Americans become victims of identity theft each year, resulting in billions of dollars in losses. The problem has significantly increased over the last decade, with complaints about identity theft rising by more than 578% in the last ten years. Don't let this happen to you!

Voice Phishing - or "Vishing" - Calls

In voice phishing - or "vishing" scams, callers impersonate legitimate companies to steal money and personal and financial information. And these scams are on the rise.