Spear phishing is an email that appears to be from an individual or business that you know. But it is really from criminal hackers who want your credit card and bank account numbers, log-in credentials to the secure networks you use and financial information on your computer.
Email from a "friend"
The spear phisher thrives on familiarity. He knows your name, your email address, and at least a little about you.
- The salutation on the email message is likely to be personalized: "Hi Bob" instead of "Dear Sir."
- The email may make reference to a "mutual friend." Or to a recent online purchase you've made.
Because the email seems to come from someone you know, you may be less vigilant and supply the information they ask for.
Using your web presence against you
You might post information spear phishers can use to trick you on the Internet. For example, they might scan social networking sites, find your page, your email address, your friends list, and a recent post by you telling friends about the cool new camera you bought at an online retail site. Using that information, a spear phisher could pose as a friend, send you an email, and ask you for a password to your photo page. If you respond with the password, they'll try to use that password and variations to access your account on the online retail site you mentioned. Or the spear phisher might use the same information to pose as somebody from the online retailer and ask you to reset your password, or verify your credit card number.
Keep your secrets secret
How safe you and your information remain depends in part on how careful you are. Take a look at your online presence. How much information about you is out there that could be pieced together to scam you? Your name? Email address? Friends' names? Their email addresses?
Are you active on any of the popular social networking sites? Take a look at your posts. Anything there you don't want a scammer to know? Or have you posted something on a friend's page that might reveal too much?
Passwords that work
Do you use just one password or easily anticipated variations on just one? Both make it easy for a scammer to access your personal financial information. Every password for every site you visit should be different; really different. Random letters and numbers work best. Change them frequently. Your Internet security software and operating system can help you keep track of your passwords.
Patches, updates and security software
When you get notices from software vendors to update your software, do it. Most operating system and browser updates include security patches. And you should be protected by up-to-date Internet security software.
If a "friend" emails and asks for a password or other information, call or email (in a separate email) that friend to verify that they were really who contacted you. The same goes for banks and businesses. First of all, legitimate businesses won't email you asking for passwords or account numbers. If you think the email might be real, call the bank or business and ask. Or visit the official website. Most banks have an email address to which you can forward suspicious emails for verification.
And always remember: Don't give up too much personal information online, because you never know who might use it against you. Or how.