Phishing is the process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Emails claiming to be from popular social websites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It is a form of criminally fraudulent social engineering.
Spear phishing attacks, on the other hand, are not typically initiated by a random hacker. Spear phishing is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. The hacker uses a deeper knowledge of the potential victims to target them, and that approach allows them to tailor the attack. Spear phishing is more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.
Unlike mass phishing emails which may be trying to distribute ransomware or gather individual login credentials to make a quick buck, spear phishers are normally after confidential information, business secrets, access to bank account data, etc. The spear phisher has the same goal as normal phishing, but the attacker first gathers information about the intended target. This information is used to personalize the spear phishing attack. These emails are more targeted, convincing, and harder to detect than regular phishing emails. The attacker knows exactly who and what they are targeting. By limiting the targets, it is easier to include personal information like the target’s first name or job title. This makes the malicious emails seem more trustworthy.
The success of spear phishing depends upon three things:
- The apparent source of the message must appear to be a known by the target and trusted individual within the company.
- There is information within the message that supports its validity.
- The request by the individual seems to have a logical basis.
The email recipient should learn to be suspicious of unexpected requests for confidential information and avoid divulging personal data in response to emails. Also, they should avoid clicking on links unless they positively know about the source.
Recently an association Administrator received an email via her iPhone allegedly from the President of the association that directed the Administrator to pay a vendor. The content of the email advised, “It will be necessary to take care of a payment to a vendor, today. I will forward you the vendor’s information for making the payment.” The administrator asked for the coordinates of the bank to process a wire transfer. She received the details for the transfer of funds with the account holder’s number and the wiring instructions for the transfer of funds. The Administrator had training regarding spear phishing and reported the information to the bank and law enforcement.
An investigation of the email headers followed and revealed fraudulent activities, and the owner of the bank account was to receive the payment and then transfer the funds less 25% to an account in Nigeria.
Beware of these signs: 
- If you get an email from someone, but you do not recognize the email address of the sender, be cautious.
- If the email is from someone outside your organization and is not related to your activities, be cautious.
- If the mail is from someone inside your organization, a customer, vendor, or superior, and it is out of character or unusual, be cautious.
- If the email is from a suspicious domain, be cautious.
- If the email is from someone you do not have a business relationship with and they are asking for sensitive information or a payment of money, be cautious.
- If the email sender is not personally known by you, be cautious.
- If the email contains misspelled words, improper verb tense, has embedded hyperlinks, misspelled hyperlinks, or attachments from someone unknown to you, be cautious.
The moral of the story is that the Internet is a vast area being patrolled by thieves that will take advantage of individuals or organizations and make a simple transaction seem to be authentic. Avoid being spear phished and be cautious, before they take your money and abscond with it. Always be alert, and if the transaction “seems to be too good to be true, it generally is,” so check into transactions more fully before giving up your money. After all, it is yours.
The above matters are common and could prove costly to clients. They must be approached properly with an attorney and a financial investigator. If you or your client wants to be proactive to avoid these and other types of fraud that requires an investigation by a licensed investigator, please contact Chief Investigator Edmond Martin of Sage Investigations, LLC at 512-659-3179, or email: firstname.lastname@example.org. Let our 26 years as an IRS Special Agent and 16 years of Private Investigation benefit you and your clients. Please visit our website for our team and their CVs.