Hi. Today we’re going to talk about spear phishing. Now I’m not talking about diving underwater and trying to catch fish with a spear. I’m talking about spear phishing spelt with a P-H, so P-H-I-S-H-I-N-G. Spear-phishing spelt that way is an email-based scam targeted towards a specific individual or organization. Microsoft report that spear-phishing attacks have doubled in the last year. Now having said that, I should point out that most spear-phishing attacks are aimed at larger businesses and larger organizations because they are really, really targeted and they take a lot of time to get working. But they’re still important to know about.
An example, a basic example of a spear-phishing attack, would be, say, for instance, a job that has been advertised in a large company. The HR person gets an email with all the correct details from a prospective job client. HR opens the resume, which then infects their computer. That’s sort of an example of that.
I bring this up because spear phishing is the highly targeted version of phishing, which is the more common type of attack. These are the ones that you’re likely to get attacked by. An example would be PayPal sends you an email asking you to verify account details by clicking a link, which then can install malware on your computer. The link might say, “Login into this site,” which is a fake site. Then they’ve got your login and your password.
There’s a couple of things you can do about that because a lot of those are quite sneakily done. One is to install two-factor authentication. Microsoft says that two-factor authentication stops 99.9% of automated attacks on your system. That’s number one big one.
Also, a password manager. Say, for instance, fake PayPal has sent you an email requesting you verify your account. You click on the link, you login into a site which looks exactly like PayPal. You don’t notice this: it’s actually spelled P-A-Y-P-A-1.com. So it looks very close to PayPal, and they spoof the site up to look exactly like PayPal. If you go to log in to this fake PayPal account, your password manager, which normally would offer to put your login and your password in, it won’t come up because it doesn’t recognize that as your legitimate site for that instance. There’s sometimes when it is the right one, but at least you can have a look and you can get suspicious.
The other thing is, because a lot of these are automated, there may be slight spelling or grammar mistakes, or just clumsy English. You know if something comes from PayPal or big banks or anyone like that, any big organization, they’re going to send you a well crafted, well written English email. They’ve got paid professionals to make sure the emails come out and look professional. If it’s not the usual level of professionality that you expect from that company, the next thing to do is just roll your mouse over where the link is and you’ll see down the bottom left corner of your browser, it’ll tell you the real link. If you roll over something that says, “Click here to verify your account,” and it’s purportedly from PayPal, then if you look down at that bottom actual URL, the actual web address, it might say abracadabra.com or whatever. Then you know, no, just don’t go there. Just delete the email.
Also, you can enter a fake password first when you login into the site that you’ve been sent by this email. If it’s fake, it will accept your password, if real it will give you an error.
The final thing to do is, if you suspect an email, say a fake one from PayPal. Well, PayPal is not a very good example because they don’t answer their phones, but from a bank or somewhere like that, just ring the bank or ring the organization and ask them. They’ll be really pleased that you’ve rung them because they want to know what phishing emails are about. They’ll almost always tell you if your email is a scam or not. That’s the best thing to do. Even with PayPal, send them an email, unless they’ve changed their policies and they do talk to you now, but they never used to. All right, thank you very much and goodbye.