Consumer Advocate

Sign up for newsletters and other news
Media > Newsletters > Consumer Advocate > November 2014 > Don’t Get Caught in a ‘Spear Phishing’ Scam

Consumer Advocate RSS feeds

Don’t Get Caught in a ‘Spear Phishing’ Scam

The next time you check your email inbox, look carefully — it might contain a targeted message that a con artist designed just for you.
In a typical phishing scam, a con artist pretends to be an employee of a bank or a government agency and asks you to confirm account information by submitting your bank account number, password, or Social Security number. The scammer hopes you will fall for the scam and reveal personal information.
Spear phishing is a more targeted form of this scam. Instead of sending a general message asking for verification of account information, the scammer crafts a targeted message, using information they have learned about you.
A common way that scammers are able to obtain the information needed to conduct spear phishing campaigns is through data breaches. For example, if a large retailer suffers a data breach, the scammer may use the information obtained in the breach to later target their customers in a spear phishing attempt. 
After obtaining the information, the scammer might send consumers an email that appears to be from the retailer that was breached, stating that the customer must resubmit his username, password, and other personal account information.  Although the email appears to be from the retail store and even uses official-looking logos, the email is actually from a scammer who knows customers will be more likely to open the email if it appears to be coming from a trusted company with whom they have an existing relationship.
Spear phishing can also result from the hacking of consumers’ personal email accounts. For example, a scammer may hack into e-mail accounts and find information about those consumers’ financial planners and investment accounts. The scammer then sends e-mails to those financial planners (using the consumers’ personal e-mail addresses) and asks the financial planners to transfer thousands of dollars to another account. If the financial planners comply with the request, consumers’ money will be lost.
In order to make a spear phishing scheme seem legitimate, scammers need some inside information. They may obtain information by hacking into a computer network or by finding information online through social networking sites, blogs, or other websites. With this information, they can send realistic e-mails to potential victims.
To avoid spear phishing scams, follow these tips:
•           Create complex passwords. Use a variety of characters and make your passwords lengthy.
•           Do not use the same password for multiple accounts. For example, do not use the same password for your e-mail account and your online banking account. Create a unique password for each account.
•           Keep your security software up to date and use a phishing filter, if possible. A phishing filter works to detect whether a browser is going or about to go to an illegitimate website address.
•           If your e-mail account is hacked, contact your e-mail provider. If the hacker may have gained access to your personal information, contact the appropriate organizations, such as your bank.
•           Do not share too much information online. Be mindful of the information stored in your e-mail account and how much sensitive information you transmit via e-mail or social networking.
•           Think before you click. When in doubt, do not click on links contained in e-mail messages or pop-up messages.
If you suspect a scam or unfair business practice, report it to the Ohio Attorney General’s Office at or 800-282-0515.