How to stop spear phishing attacks dead in their tracks

Phishing is one of the most common forms of cyberthreat on the internet today.

Regular phishing attacks are broadly applicable attacks – like a wide net that catches whatever it scoops up. With regular phishing attacks, criminals go after many email accounts by using generalized messages containing fraudulent or misleading language designed to trick the recipient into divulging sensitive information or downloading malicious executable software.

On the other hand, spear phishing is very targeted. 

The attack is personalized because it’s intended to affect just one specific individual or business. While phishing is usually conducted via email or social media, spear phishing might go so far as to include phone calls and text messaging. 

What you can do to defend yourself

Fortunately, there are several simple ways you, your employees, and your clients can defend yourself from phishing attacks.

Look at the email address

Cybercriminals try to sneak phishing emails in your inbox by disguising them as a trusted source. By looking at the full “Sender” address (as opposed to just the “From” field), you can usually determine when an email is fraudulent.

For example, if an email that appears to be from Amazon based on the “From” field has something like “” in the “Sender” field, you can be pretty confident it’s not a legitimate communication. 

Unfortunately, they’re usually not that obvious. A common trick is to use the trusted source’s name with a slight misspelling—like in the example above. Did you notice that “Amazon” was spelled incorrectly? 

That’s how they do it.

Look for incorrect email addresses, suspicious misspellings, and foreign domain signifiers. Though, it’s worth noting that this won’t work 100% of the time. Through a process known as “spoofing”, criminals can actually disguise their sender field to seem completely legitimate, with no mistakes.

That’s why you need more than just one step.

Keep reading: How to Protect Your Small Business from Cybercrime

Be suspicious and investigate 

Before you click on that email link, ask yourself if there’s anything suspicious about it.

Do they misspell the brand name? Are you about to click on a link that’s not part of the usual process? If the link is hidden by text or an image, hover your mouse over the link and check to see if the popup or info bar shows a valid website.

Always be suspicious of links that lead to sites that don’t appear to be hosted in your country. 

If you’re unsure of a legitimate email or link, reach out directly to the contact via phone and double-check. It only takes one breach for the situation to get ugly.

Check your online accounts regularly

If you think a fraudulent email may have slipped by you, it’s not a bad idea to pay a visit to your online accounts to make sure there has been no suspicious activity. (You should do that periodically regardless.)

Some things to look out for are unexplainable bank transactions (these are usually small so they aren’t immediately noticed), unauthorized purchases or services, and changes to your personal information, including your passwords.

Criminals may use that information in the future. They can lie in a “dormant” state on purpose to get you to lower your guard… and then strike when things are calm again.

Use antivirus software

Running virus scans seems like a tedious, annoying chore, but it’s much better than repairing the damage malware can wreak on your computer. A little prevention goes a long way.

Related to security: 6 things a good IT security policy should include

Make sure your antivirus software has been kept up to date with the latest information. Ensure that your most thorough scans happen at night so that they don’t interrupt day-to-day operations with slowdowns.

Keep your systems and software up to date

Every year we hear news about security holes being discovered in major programs and systems software. Word gets around concerning these security holes and cybercriminals won’t hesitate to take advantage of them.

Take the time to update your software whenever the option becomes available. 

Verify site security

Not all attacks come to you. Some lay in waiting.

On occasion, a website’s security is breached and cyberattackers build a false front page in order to skim your personal information as you log in. Which is why many important websites such as banks and utilities offer a two-step verification process.

GlobalSign has a great “how to spot a phishing website” blog post that’s worth a read, too.

Take note of any unexpected problems during this two-step verification. Also check the URL toolbar to make sure the start of the line reads with “https:” and that there is a closed lock icon present. 

This will assure you that your connection is secure.

Be very wary of direct phone contacts regarding your accounts

Make sure you’re calling them, and not the other way around.

Microsoft or Apple will never contact you by phone to let you know about a problem with your account. Those calls are almost always spear phishing attempts. If your bank or service utility calls, thank them, then hang up and call them back at an official number unless you know for sure who you are talking to and why.

That goes for text messages, too. 

Many people manage their personal cell phone payments through text messaging with the service provider. Make sure these are official messages sent from the actual provider. 

How can 3Points help you?

If you’re still unsure of how to defend against these attacks, it’s never a bad idea to consult with security professionals. We can help secure your network with robust monitoring and security services to reduce the chances of those cyberattacks ever making into your network.

If you have any questions about phishing or cybersecurity in general, don’t hesitate to contact us.