How to Guard Against Spearphishing

If you have ever received an email telling you to verify your email address or account information, especially with an organization where you have no such account, you have seen phishing. Many would-be scammers blanket email accounts in hopes that a small percentage of recipients will fall for their con. Phishing is a numbers game knowing that some people will either purposefully or accidentally give away their information or money.

Spearphishing, on the other hand, is not a numbers game. Rather than casting a wide net, spearphishers will do their research to target you specifically. It takes the form of highly-specific emails, phone calls, texts or social media messages.

For example, one new spearfishing method seeks to collect two-factor authentication codes for banking accounts. The scammers will pose as a representative from your financial institution asking you to verify a nonsense expense. By this time, they have already somehow managed to get your contact information and the place where you bank—which is enough for many to let their guard down.

Unfortunately, since these scams can take many forms, there is no single trick to identifying a spearphishing attack. However, most spearphishing attempts seem to have one thing in common: the scammer will try to scare you into acting fast. Spearphishers hope that fear, urgency or embarrassment will cause your brain will jump into “fight or flight” mode—where rational thought tends to take a backseat.

Here are some more tips to avoid spearphishing:

• Be careful about what you post on social media. A CEO was tricked into giving up a lot of money just by a scammer using information found in a Facebook post the CEO made about an upcoming bike race.

• Don’t trust a phone call just because it is from a local number. It is very easy to spoof (or fake) the number that shows up in your caller ID, even if the number is from someone you know. However, if you were to call that number back, it would connect you to the person or business who actually owns that number. If you are ever suspicious, just hang up and call the person or business directly.

• Pay special attention to the details of an email. If the email is from a trusted person/organization, but seems slightly off, call them directly. His or her email login may have been compromised and someone is using it to trick you.

The Wyoming Small Business Development Center Network is offering free subscriptions to KnowB4, a basic cybersecurity training program to guard against, phishing, spearphishing and other attacks. For more information on this, send me an email at james@uwyo.edu

About Jim

Jim Drever is the regional director for Albany and Carbon counties and helps small business owners with general business topics and issues related to cyber security. Jim holds an MBA from the University of Wyoming and is a certified expert in cyber security.

When he’s not in the office:

When Jim is not helping clients, in his spare time he also works as a volunteer fire fighter and a volunteer ski patrol at Snowy Range Ski Area. He enjoys the outdoors, reading, traveling, and pursuing a lifetime of learning.