Safe Internet Alliance

Though there are many who fall for phishing scams -- otherwise they wouldn't be so abundant -- because they're so reliant on mass emails sent out to thousands of people they can be easy to spot if you're Internet savvy. A phishing scammer may try to get hold of account numbers for Bank of America and send his email out to many who don't even have Bank of America accounts. Because the scammer knows very little about his victims it can be difficult to trick them into thinking his emails are legitimate.

But what if the scammer targeted you or your colleagues specifically? What if he researched information about an organization you belonged to, your workplace, or other personal information, and then tailored his email to you accordingly? Would it be so easy to recognize it as a scam?

Unfortunately, such a trend is emerging. Coined as "spear phishing," scammers are increasingly focusing their emails to smaller and smaller groups of people and succeeding in getting them to hand over their account info and other personal information. According to the FBI website:

How spear phishing works. First, criminals need some inside information on their targets to convince them the e-mails are legitimate. They often obtain it by hacking into an organization’s computer network (which is what happened in the above case) or sometimes by combing through other websites, blogs, and social networking sites.

Then, they send e-mails that look like the real thing to targeted victims, offering all sorts of urgent and legitimate-sounding explanations as to why they need your personal data.

Finally, the victims are asked to click on a link inside the e-mail that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, etc.

Of course, even with targeting a scam email specifically toward you, the scammer must leave some tell-tale signs that his email isn't legitimate. For instance, if you hover above the embedded URL link, it'll often be for a domain not related to the organization's website.

eHow has a list of ways to recognize spear phishing scams:

The next step to recognizing spear phishing e-mails is to familiarize yourself with how they look. Spear phishing e-mails seem to come from trusted institutions, address the victim directly and use action phrases that draw their victims into giving up personal information. These action phrases play to two basic emotions to lure people in: greed and fear.

By educating their employees/members and employing strategies in effective network management, companies and organizations will be able to thwart would-be scammers. The evolution of phishing scams from mass emails to targeted attacks is yet another example that those who wish to do harm to Internet users will not stop in their pursuit of cyber crime. We will always have to continue to adapt to their shifting tactics.