Phishing & Spear Phishing

Let's talk about social engineering via email. First we have phishing. Phishing is basically a mass email campaign typically to try and trick a user into opening an infected attachment or clicking on an infected web link or giving up some personal or organizational information. Often the senders addresses are faked. This is a process called spoofing. So it will appear to be from someone you know or just someone who sounds legit like a bank or something. Totally fake. Frequently these messages will be urgent for one reason or another. Like your bank account is about to be closed. You've missed an important delivery. There's a follow-up on a dreadfully important invoice - you've got to do it or they're going to close your power or something like that. Or, "oh, by the way, you just won the lottery, but you've got to claim it today." That kind of thing.


The whole idea is to get you to take action by clicking on the infected link or opening up the attachment. Again, infected. One thing about phishing is it's generally kind of a scattershot approach. Around 156 million phishing emails are sent every day. This is according to a study by Cybersecurity Partners out in the UK. So that's quite a few. A related concept is something called a W-2 scam. Hundreds of organizations have been hit by this. In effect, what it's doing is it's trying to get employee lists, which are then, believe it or not, used by gangs who use them to trick the IRS so that they can do a fake tax filing and then they can get a fake refund. They take it out of the bank, they spend it, they disappear, and then you have trouble filing your actual return.


Does this sound convoluted and crazy? Sure. Unfortunately it also actually happens. And they don't just go after bigger companies. They'll basically tag anyone who's up there and available. The attacks have increased tremendously. Just between 2016 and 2017 it went from about a hundred to about 870 and it keeps going up. Presume that any email you see from a bank, etc., is fraudulent. And if you're at all concerned, contact that organization directly by phone, through its official website or even go visit an office branch. Whatever you should do is don't use the number that is listed in the email to call back because, if anything, you'll get the scammer, who will be happy to tell you that it's not a scam. Another thing you can do is if you're looking at a weblink specifically, if you're on a laptop or desktop computer, you can hover over it with your cursor and then in the lower left of the screen it will list where it actually goes and if it's nothing at all like what's listed on there, that's a red flag for you. Now this can come in a lot of different fashions. Unfortunately, there's no one way that phishing emails tend to happen. Anything can be used to trick you and, as long as it will work, they'll try it. One thing you might see is something like a fake software update, for example. Another one that frequently happens, we've mentioned a few other segments, is an email that comes through, it's not readable and there'll be a little note there saying, "Oh, if you can't read it, just enable macros," which is again, a task automator through Microsoft Word. And when you enable macros that triggers the attack. It's best to leave those disabled on your system all the time. A related concept to phishing is something called spear phishing. That's kind of like phishing but it's personalized to the recipient. Often it will appear to come from someone you know with details that make it look legit. Like for example, it might be someone masquerading as a person from your IT company asking for your network login information to perform some sort of alleged security check or system update. The thing is, again, an easy way to stop this is place a quick call (again, not using anything in the email) right to your IT company and see if they're actually trying to contact you. 50/50. Sometimes they might be, sometimes they're not and you're about to get robbed effectively if you don't catch it. Emails can also do something like reference some critical report which they forget to include as a link. You can find it via Google, but that's actually an infected website. Like I say, there are no rules here. So anything they can do to trick you, as long as it works, they win. And like I said, never hesitate to call and check. If you see something in there that looks iffy, pick up the phone. It never hurts. Now also, one thing to realize with these emails, be it phishing or spear phishing, they don't necessarily have to come via email. They can also come via text message, something called smishing, which is for a short message service, which is the proper name for texting, They can come via instant message or any social network just as easily. The whole idea is to trick you. And again, there are no rules.


  • Mass email campaigns that typically try to trick users into opening an infected attachment, clicking on an infected weblink and/or giving up personal or organizational information

Presume that any unsolicited email from a bank, IRS, etc. is fraudulent and – if you are at all concerned – contact the organization directly via phone, through its official website or visit an office, branch, etc.

Spear Phishing

  • Somewhat like phishing, but personalized to the recipient
  • Often appears to come from someone you know, with details to make it look legitimate
  • Never hesitate to call and check

Any of these attacks can come via text message (known as “smishing”), instant message or any social network just as easily.