Cyber attacks and resulting data breaches often begin with a spear-phishing email. Spear phishing differs from regular email phishing in its use of extensive research to target a specific audience, which allows the spear phisher to pose as a familiar and trusted entity in its email to a mark. Spear phishers seek a company's valuable information—such as credentials providing access to customer lists, trade secrets, and confidential employee information—and some of their methods include:
- Directing email recipients to fake (but authentic-looking) websites that ask for information like account numbers, passwords, or other credentials; and
- Inducing recipients to click on links or attachments that download malware onto the recipient's computer. The malware often allows the phisher to steal passwords and sensitive data by, for example, tracking keystrokes.
The IRS offers the following tips to protect against spear phishing:
- Educate all employees about phishing in general and spear phishing in particular.
- Use strong, unique passwords with a mix of letters, numbers, and special characters. Also, remember to use different passwords for each account.
- Never take an email from a familiar source at face value, especially if it asks you to open a link or attachment, or includes a threat about a dire consequence that will result if you fail to take action.
- If an email contains a link, hover your cursor over the link to see the web address (URL) destination. If it's not a URL you recognize, or if it's an abbreviated URL, don't open it.
- Poor grammar and odd wording are warning signs of a spear-phishing email.
- Consider calling the sender to confirm the authenticity of an email you're unsure of, but don't use the phone number in the email.
- Use security software that updates automatically to help defend against malware, viruses, and known phishing sites.