"After three unsuccessful attempts to access your account, your Online Profile has been locked. This has been done to secure your accounts and to protect your private information. You may unlock your profile by going to: ..."
Sounds like a normal phishing e-mail, right? But what if the e-mail seemed to come from the head of IT at your small business, warning about your company account? Would you click the link?
Today's phishers hope so. In fact, the excerpt above didn't appear in the usual global barrage of e-mail sent out to catch recipients with eBay or PayPal accounts. Instead, it went exclusively to students and faculty of the University of Kentucky as part of a directed, or "spear-phishing," attack against the small, 33,000-member university credit union this May. Another widely reported incident involved an Israeli company that used spear-phishing techniques to install spyware on PCs at the office of one of its competitors.
According to Peter Cassidy, secretary general of the Anti-Phishing Working Group, spear phishers act much like marketers, crafting a message and then directing it to just the right people.
These targeted attacks make better use of social engineering to trick people who are tuning out the widespread spam of typical phishing attacks, Cassidy says, but who might not expect an e-mail aimed at a smaller company or organization.
Expect it: According to IBM's Global Security Index report, intercepted spear-phishing attempts exploded from a mere 56 instances in January to more than 600,000 cases in June.
Be skeptical: No matter who the e-mail is from, if it concerns account information, don't trust it outright.
Make a phone call: If you receive an e-mail you find suspicious in any way, call the named organization.
Don't click suspect e-mail links: Instead, navigate to the company's home page on your own.
Try the NetCraft toolbar: This antiphishing utility can warn you of suspicious sites.
See the Complete Special Report
The New Security War: In this Special Package
Best Defenders and Spy Sweeper Leads the Field (chart)
The Hidden Money Trail
Privacy in Peril
Is the Net Doomed?
Threat Alert: Spear Phishing
Threat Alert: Antivirus Killers
Threat Alert: Instant Messaging Attacks
Security by the Numbers
More Security Resources on the Web
Also See Our In-Depth Online Series
Web Of Crime