|“||impersonating a company employee/employer via e-mail to steal colleagues’ passwords/usernames and gain access to the company’s computer system.”||”|
"Unlike regular phishing, which sends large numbers of emails to large numbers of people, spear-phishing refers to sending a phishing email to a particular person or relatively small group. Attackers may also heavily customize their spear-phishing emails, using public information gleaned from the Web, to make the emails seem more authentic."
The entity's website and other public information are reviewed to obtain email addresses of employees and clients. The phisher then uses the information derived from the website to create its own emails and even a website, which copies the design of the legitimate institution. The more a phisher is able to mimic the look and feel of a particular institution, the more difficult it is for the victim to determine whether a particular communication is genuine. Once a phisher has established the trust of a victim, personal and financial information is requested. Some scams even attempt to mimic a problem with the victim’s account asking the victim to "login" to their account only to have that information stolen by the criminal.
As a general practice large companies do not request personal information by email, so any email that requests such information should be treated with caution. Additionally, slight, hardly noticeable, spelling errors in the "from" field of emails are a strong indicator of a phishing communication. Frequent phishing emails are sent supposedly from Blizzard Entertainment requesting customer login information for individuals with "World of Warcraft" accounts, however, an observant person will notice that these emails usually come from "Blizzad" or "Blizzand" rather than "Blizzard."
- ↑ OECD, Online Identity Theft 8 (2009).
- ↑ See Mathew J. Schwartz, "Spear Phishing Attacks On The Rise" (June 8, 2011) (full-text).