My son called me and said that an email I’d sent him looked exactly like “spear fishing” mail. What does that mean?
It’s a sure bet that your sons didn’t mean that the two of you should go and re-enact Moby Dick with spears being tossed from a boat in a rough sea, but that instead he was referring to a variation of phishing called spear phishing. To understand what it is, think about how spear fishing (with an “f”) works: you pick out a specific fish, then attack.
So with spear phishing, it’s rather the same sort of thing, the bad guys target a specific person — like you! — and send you a phishing email message that seems like it’s from one of your friends and is, of course, legit.
But let’s back up. Phishing is when a bad guy tries to get you to reveal private account information, typically a login and password pair, so they can log in to a site impersonating you then gain access to your funds, private data, personal correspondence, or similar. Definitely not good, and commonly implemented as an email from your bank that says you need to log in to update your account. And there’s a convenient clickable link right in the message. Except it doesn’t go to Wells Fargo or Bank of America, it goes to the bad guy’s site.
A typical phishing email message might look something like this:
This particular phishing email is rather poorly done with its typos, bad formatting and other problems, and any decent email system will show you the URL you’ll be reaching if you did click on the “Click here” button (it sure ain’t apple.com), but still, these often fool people. Best way to tell? Look for the security certificate on the Web page and pay particularly close attention to domain names.
I often get spam targeted to other people who seem to have become associated with my email address, and these are particularly easy to detect:
In this case, of course, the person who’s in their spam database is “Bob Bob” from Long Island City. It rather jumps out, doesn’t it? But if it was your name and your city, would you be fooled?
In this instance, the “Claim it Now” link would take you to a page saying that you have to verify your identity by entering your name, address, and, probably, social security number. Everything an identity thief needs to sell your information on the black market. And that unclaimed cash? I wouldn’t count on it.
But what about “spear phishing”? That’s when you get a message that appears to be from someone you know and is aimed specifically at you. Common types of spear phishing include messages about the friend being on a trip or vacation and having their purse/wallet stolen. But you can help! Send money now.
Sometimes spear phishing is more succinct too, as in this message “from” my friend Steve:
Of course it’s not from him, and the Web site? Nothing he’d be recommending to me. One way I can tell? I got exactly the same message with the same link “from” two other colleagues too.
The moral of the story? If you get a message that is at all suspicious, listen to your gut. If it says you need to do something, send money, share your contact information or a credit card, loan them your password, just say no. If you’re really not sure, email or call your friend and ask them to verify.
And so, finally, back to what your son said, that your email looks like spear phishing. Probably all he meant is that you’re sending links but without any explanation or commentary. So next time? Just add a sentence or two explaining what the site’s about and why you sent the link.