We’re Dreaming of a Phishing-Free Christmas: Get Savvy for the Holidays!

The holiday season is here! Time for last-minute online present shopping, an increasing number of holiday-related emails in your inbox, and hackers trying to take advantage of it all. Although the year has already been full of malware attacks, Christmas time is when spammers take full advantage of your busy schedule to bombard you with malicious emails in hopes of getting you on their hook.

Ever gotten a piece of spam email that has your full name, accurate details about an online account, and looks almost exactly like a “real” email you’ve gotten from a service provider before? Congratulations, you’ve gotten spear phished! It’s our Hot Holiday Trend of 2019, but not in a good way.

Not sure what “spear phishing” means? Still think it’s only something you do when you’re on vacation in the Bahamas? Keep reading to learn more about this increasingly common (and dangerous!) form of spam, and why you might be seeing more of it in your inbox soon.

Phishing? Spear phishing? What are they, and what’s the difference?

Phishing and spear phishing are similar- they’re both online attacks that aim to acquire confidential information that can be used maliciously (like your bank credentials, social security number, passwords, etc.). Phishing is a broader term for attacks that are not personalized and are usually sent to a large number of people at the same time. Often, this looks like some sort of official and trustworthy communication (like an email from Amazon, or a text from your credit card company). The phishers are trusting that, by widely casting their net, they have a greater chance of catching a victim.

Spear phishing attacks target an individual victim, and the messages they contain are modified to specifically address that victim, claiming they come from an entity the victim the is familiar with and containing personal information (like a full name or geographic location). They often include urgent calls to action to stop their victim from examining the message too closely.

Because of the personal level of spear phishing attempts, it is more difficult for the average user to identify spear phishing attacks. Spam email isn’t just easily identifiable junk anymore, it has evolved to fool you. This is why the amount of spear phishing is increasing- because it works!

How does spear phishing work?

Spear phishing attackers target people who put personal information on the internet without proper security precautions (like making your pages private). From looking at an online profile, they might be able to find a victim’s email address, friends/followers list, geographic location, and any posts about services the victim uses or products they have. With this information, a spear phisher could then construct a convincing email as a friend or familiar entity and send a fraudulent message to their target.

The target is asked to open an attachment (often containing malware) or click on a link that takes them to a fake website where they are asked to enter passwords, account numbers, credit card information, and other sensitive data. The spear phishers can then use that information to access their victim’s various online accounts and wreak havoc.

How can I protect myself?

1. Have secure passwords

Reusing passwords across multiple accounts means that if a hacker has access to one of your passwords, they have access to all the accounts you use that password for. Every password you have should be different and should include basic security features like numbers, special characters, and a mix of uppercase and lowercase letters to make your passwords more difficult to guess. Not sure how to create a secure password? You can check out TechBldrs’ Hack-Proof Password Formula on our blog (techbldrs.com/blog/passwords)!

2. Hover over links before clicking

It’s possible for a link to say it leads to one site when in reality it leads to another. Many spear phishing attackers will try to complicate link destinations by using text that looks like another (trusted) URL. Hover your mouse over a link before clicking on it to see where that link is really taking you, and if it’s a site you truly want to visit.

3. Adjust your privacy settings

Take a look at your online profiles and assess how much personal information you’re sharing, what your privacy settings are, and what sort of data attackers could glean from one quick look at your account. If there is anything you don’t want a potential spammer to see, do not post it, or, at the minimum, make sure that your security and privacy setting limit what others can see.

4. Use common sense

Companies will not send you an email asking you to give them your username, password, and other important account information unprompted. Likewise, if you get an email from a friend or acquaintance asking for personal information or money, be cautious. Check with that friend on the phone or in person about the validity of the email- they may have been hacked and not even know!

Still worried you won’t be able to recognize a phishing or spear phishing attempt? If you don’t get a lot of spam or aren’t familiar with the tactics spammers use, you’re the perfect target, since you’re more likely to fall for their tricks. You can learn more and test your knowledge at phishingquiz.withgoogle.com, a phishing resource put together by Google.

Now, more than ever, people are more vulnerable to spear phishing. Protect yourself this holiday season by keeping our tips in mind. Spear phishers are making their list and checking it twice, and you don’t want to be on it!

Still have questions? Want to know what else you can do to protect your personal information online? Call us at (610) 937-0900 for advice or for a free Dark Web scan!