Spear Phishing: how the email scam works and how to defend yourself

In recent weeks, many Italian users have fallen victim to a particularly evolved phishing attack. Here's how it's articulated and what you risk

In Italy, too, the reported cases of "spear phishing" are increasing, a new form of very advanced phising aimed at inducing the victim to install malicious software or to steal sensitive data and access credentials. Spear phishing is basically a personalized phishing: the scam emails appear to come from our co-workers and mimic very well the appearance of the real and legitimate business emails we receive every day. Falling into the trap, if you're not very careful, is therefore easy. And that's not all: the scam is so well thought out that it very often starts with an absolutely harmless email, sent just to capture the attention and trust of the victim. But then comes the dangerous message that contains infected attachments or links to malware-laden sites.

The jargon used in these messages is similar to that typical of companies: "Urgent request", "To the attention of..." and so on. The body of the email, finally, refers to real (or at least credible) business processes such as the approval of a document, the notice of a payment deadline etc etc.

How to defend yourself against spear phishing

Spear phishing requires an extra dose of attention compared to classic phishing. If we have even the slightest doubt that the message may be hiding a scam, then it is useful to contact the colleague who would have sent it (because in reality the source address is not his) through another channel to get confirmation: just make a phone call, a text message, a message on WhatsApp.

About the source address of the scam message, it almost always imitates a real address of a colleague or an office of the company or organization you want to target: so you have to check the domain of the sender's address looking for some imitated character, like zero instead of O. If there are links in the body of the message, before clicking, always check which domain they point to. If they are shortened links, the probability that they are malicious links is very high. Maximum attention also to the attachments: inside a compressed file, or even inside a jpg image, can hide a virus.

Never trust, finally, messages in which we are asked for personal data: our company already has them, a third company has neither reason nor right to ask for them.