Monday, November 7, 2022

You may be familiar with phishing—scam emails (or direct messages, or social posts) that try to con you into giving up a password, downloading malicious software, or otherwise opening yourself up to a cyber-attack

But have you heard of spear-phishing? These highly targeted attacks can be especially convincing and effective. They can be hard to avoid unless you’re on the lookout. 

Threats addressed specifically to you 

Run-of-the-mill phishing messages often look suspicious. They have generic salutations (“Dear account owner”) and may be riddled with errors. They go out to hundreds or thousands of recipients and often get caught by email security systems. 

But a spear-phishing message may be addressed specifically to you. It may claim to come from someone you know (e.g., your boss). It might include personal details—maybe gleaned from work websites or social media—that make it seem credible. It could slip past security systems. 

And spear-phishing attacks can come in forms you don’t expect at all. For example, a phone caller who tries to talk you into providing sensitive info. 

Steps you can take to stay safe 

The usual anti-phishing precautions apply to spear-phishing, too. With emails, look for signs that a sender may not be who they claim: “from” addresses that don’t match the sender’s name; email addresses or URLs that seem slightly off, suspicious addresses hidden behind linked text. 

But then apply another layer of caution, starting with these steps: 

  • Protect your passwords and multifactor passcodes: Any request for a password or multifactor passcode (for example, a backup code generated to complete Two-Step logins) is a huge red flag. Most legitimate organizations make it a point to never ask. And don’t follow links from emails to websites where you need to log in. If it’s a service you use, go directly there on your own. 
  • Secure sensitive files: Spear-phishers may seek more than just passwords. They might ask for work-related files with academic, financial, or patient-care info, taking advantage of the fact the work groups commonly need to share files among themselves. Always think twice before responding and see more info about data privacy below. 
  • Make a phone call: If you get an email or message that asks you to take action, call the purported sender to confirm the request is legit. This works with phone calls, too—tell the caller you’ll call back on their organization’s main line. 
  • Stay calm and take your time: Spear-phishers often try to make their requests sound especially urgent—they need info right now. Don’t fall for it. Take all the time you need to confirm that messages are real. 
  • Respect data privacy: Protecting your information makes it harder for spear-phishers to find and exploit personal details. Be conscious of what you’re sharing about yourself and others. Understand how data privacy is especially important for institutions like the University of Iowa. 

Resisting social ploys 

Most cybersecurity threats are social engineering attacks. They take advantage of our willingness to help, our deference to experts, or our busy schedules. Security breaches almost always leverage errors of human judgment. 

This is especially true of spear-phishing attacks that target our individual weak points. After all, who wants to push back on an “urgent” request from their “boss” on a hectic workday? 

But when sensitive data and systems are involved, precautions are always in order. Trust your instincts, verify requests, and don’t be conned.