Sniffing out spear phishing scams

By Ken Colburn, Data Doctors

PHOENIX — Question: If ransomware hackers can infect me by sending fake email messages from the company I work for, how am I supposed to protect myself?

As I discussed in a recent post, crypto ransomware uses a variety of methods to trick victims into clicking on malicious links or opening rigged file attachments.

One of those methods is referred to as “spear phishing,” because the hackers are using information about you to make the message seem more legitimate.

These social engineering techniques continue to be a hacker’s preferred method of gaining unauthorized access to your computer. The way the hackers figure, why spend endless hours trying to hack in from the outside when it’s so much easier to trick a human into allowing them in?

You’ve likely experienced and can identify the obvious phishing scams. When it’s an alert from a bank we don’t have an account with or a retailer that we’ve never purchased anything from, we tend to know better.

But spear phishing is a targeted scam message from a bank or organization that you actually do business with. And with ransomware, the message often appears to be from your employer.

Hackers know you get e-mails from your company all day long, so sending you a message that appears to be from your HR department or a co-worker is more likely to get opened.

If, for example, you got a message from the owner or CEO of your company with news that the company was being acquired, wouldn’t that concern you? You would probably open the attached “announcement” document without even thinking about the dangers.

If you got an email message from what appears to be a co-worker saying they found an awesome viral video, or a concert event for an artist you like, you’d probably click on the link without thinking twice.

Think about how much useful information exists about you, your work and the things you like to do on sites such as LinkedIn, Facebook and Twitter. It wouldn’t be hard to craft a personalized message that appears to be relevant.

Remember, with all the things on your computer that can be exploited if you don’t keep it up to date, all it takes is one click of the mouse for a silent attack to occur.

Before you click

Here are my suggestions for sniffing out company-based spear phishing attempts:

  • Read the entire message and pay attention to the salutation, grammar and punctuation before clicking or opening anything; when something seems different from regular communications, be suspicious.
  • Look for the sender’s standard signature at the bottom of the message; if it’s not there, be suspicious.
  • If the message came with a link, don’t click on it — hover your mouse over it to see whether the displayed address and the actual destination match. If they don’t, you’ll know right away that something’s phishy.
  • Go old-school and pick up the phone to ask the person listed as the sender to verify that they actually sent the message. Don’t hit Reply to ask, as that could cause your co-worker to click on the malicious link.
  • Your IT department should setup a Sender Policy Framework (SPF) on the company mail server to detect email spoofing attempts from unauthorized outside domains.

Today’s clever email scams require that you take the “guilty until proven innocent” approach to everything in your Inbox.

Follow @WTOP and @WTOPtech on Twitter, and on the

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up