5 tips to avoid spear-phishing attacks


The word “Burisma” is all over the news at the moment – it’s a Ukranian energy company that, according to some claims, was broken into by Russian hackers looking for sensitive data to steal.


As you can imagine, the way the hackers got in is supposed to have been by means of phishing attacks.

Phishing, very briefly defined, is where a cybercriminal tricks you into revealing something electronically that you ought to have kept to yourself.


The good news is that most of us have learned to spot obvious phishing attacks these days.


The bad news is that you can’t reliably spot phishing attacks just by watching out for obvious mistakes, or by relying on the crooks saying “Dear Customer” rather than using your name.


You need to watch out for targeted phishing, often rather pointedly called spear-phishing, where the crooks make a genuine effort to tailor each phishing email, for example by customising it both to you and to your company.


Spear-phishing, where the fake emails really are believable, isn’t just an issue for high-profile victims such as the Burismas of the world.


Acquiring the specific data needed to come up with personalised phishing emails is easier than you might think, and much of the data gathering can be automated.


Tips for you

So here are our 5 tips for dealing with phishing attacks, especially if you’re facing a crook who’s willing to put in the time and effort to win your trust instead of just hammering you with those “Dear Customer” emails:


1. DON’T BE SWAYED JUST BECAUSE A CORRESPONDENT SEEMS TO KNOW A LOT ABOUT YOU

Someone who has never met you, and never will, can nevertheless easily project themselves as an “insider” – a friend-of-a-friend, perhaps, or a colleague you’ve worked with electronically but never met face-to-face.


With a mixture of information collected from already-public data breaches, social media profiles and historical emails that you sent or received, even a modestly funded crook without much technical savvy can sound a lot more convincing than “Dear Customer.”


2. DON’T RUSH TO SEND OUT DATA JUST BECAUSE THE OTHER PERSON TELLS YOU IT’S URGENT

A lot of email scams work because the crook wins your trust, or makes you think they are someone high up the organisational chart in your own company, and then stresses how urgent the task they’ve just given you is.


They will often resort to flattery, too, by explaining why they are asking you and not anyone else, and impress on you that the task is confidential and therefore must not be discussed with anyone else.

Never treat it as prudent that the other person is demanding total secrecy – treat it as suspicious instead.