Search Information Security site

 

Main menu

Tip of the Month - June 2019

Spear Phishing

While wide-net phishing email tactics are very common, they are not the only way attackers steal information.  Sometimes, attacks are conducted on specific people within an organization who are in a position to buy things with company funds or to reveal privileged information.  The use of these targeted emails is refered to as, "spear phishing".

Spear phishing emails take advantage of a few techniques to trick victims.  These techniques have some common themes.

  1. Spear phishing emails may come from a spoofed or compromised email account.  By imitating a supervisor or colleague, the attacker is attempting to boost their email's credibility which can mislead the recipient.
  2. Spear phishing emails are often carefully worded so that they do not include information that conflicts with information the recipient likely knows.  
  3. There is always some sort of request associated with a spear phishing email.  A good rule for protecting yourself from spear phishing is to think about the standard processes that you are expected to use when doing your job. If you are being asked to do something that you would not normally do over an email request, like buy gift cards or discuss a sensitive topic, then there is a good chance that the email is a spear phishing attack.

If you are unsure in any way, report it to [email protected].  Even if the email turns out to be legitimate, is better to report it then to fall victim to a spear phishing scam.

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form