Anyone who’s spent any time around the internet has probably heard of phishing emails, or those really strange messages that try to get you to click a link or reveal personal information about yourself, or may even go so far as to try to get you to make payments of some kind. They’re usually pretty far-fetched and the grammar is often laughable; thanks to those facets and to public awareness of the problem, most people can recognize a phishing attempt when they see one.

PhishingBut a new variation on phishing attempts is called spear phishing, and it’s a lot harder to recognize. Spear phishing, given that name because the scammer is targeting you specifically instead of just sending out random “shot in the dark” emails that someone will hopefully fall for, is a lot more likely to be successful if you let it. It works because scammers pay attention to your internet activity and send you requests that look like the real thing, claiming to be from companies you actually do business with.

How are you involved in this process? Scammers can pull off spear phishing attempts based on the information that you share about yourself, as well as other internet behaviors like using the same password for multiple websites. When you post updates to social media, especially about accounts, companies you do business with, purchases you’ve made, and more, you’re handing over vital information that a scammer can use to target you.

For example, clicking a Like button on a retailer’s website may send information to Facebook on your behalf. A new status update appears—one that was auto-generated when you clicked Like—that says, “I just Liked (insert name of retailer or commerce site here).” From that single post, a scammer can then send you an email using the address listed in your Facebook account, telling you that your account at that website has been activated and needs to be updated to complete the registration process. When you receive that email and click the link or enter the data, you just handed over the content a scammer needs to steal your identity. Moreover, when you enter that password on the fraudulent registration, if you’re like far too many internet users, you may have just given the scammer the password you use on other important websites.

You may have also seen status updates from individuals you know that say things like, “I just bought a Bob’s Camp Gear Royal Sierra Ten-Person Polynylon Tent on Amazon.” Why would your friends post something like that? They may not have meant to. Many retailers use this kind of one-click activity as a form of advertising, so when you make a purchase and inadvertently click the offered button, you just informed your social media connections of your purchase. 

But guess what a scammer just saw? You’re going camping, and you have a business relationship with the folks at Bob’s Camp Gear.

Based on that one button you clicked, he can then target you with emails or social media messages that seek to gather information on you. Right off the bat, Bob’s Camp Gear would be a great company to pose as, since you just gave them your information and established an account. All a scammer has to do is say, “There’s a problem processing your order of a Royal Sierra Ten-Person Polynylon Tent.” He has the name of the product you ordered, the knowledge that you ordered it from Amazon, and even a link to the exact product you looked at, all of which was contained in that simple status update you made.

How do you avoid this kind of attack? Once again, it all comes down to oversharing. Make sure that the information you share and the posts you put up on social media websites—including the responses and conversations you have on friends’ social media posts, since you can’t be sure who is seeing those posts besides you—doesn’t contain specific details about you, your family, your shopping or financial activity, or more. Keep your internet posts limited to innocuous information, and don’t hand over your personally identifiable information by mistake to someone who could use it against you.

 

How aware of scams and data breaches are you? Take our survey, let us know: goo.gl/y8C3u5

 

ITRC Sponsors and Supporters 

 

 

 

 

Go to top