February 21, 2024

Tech Talk in McHenry County: Spear-phishing scams target consumers

Spear-phishing is a form of email scam where criminals use detailed personal information gleaned from the internet to craft spam messages specifically targeted at the recipient. The use of personal information makes these scams harder to spot than your average phishing scam.

When you think of spam, you might think of a poorly worded message that is easily recognized as fake. But today’s spam messages are often so cleverly crafted that they can fool even the experts.

Imagine you receive an email that is supposedly from your bank. It looks exactly like the messages you usually receive, down to the correct font, logo and wording, and it comes from an email address that at first glance seems legitimate. Would you click on the link?

Many people would. But security specialists recommend against doing so, even if you think it’s genuine, because it’s so hard to tell the real deal from the fakes. Instead, they advise consumers to visit websites directly by typing addresses into the browser. From there, you can log into your accounts to read any messages that may be waiting.

Phishing is not just an annoyance, but a profitable cybercrime. Spam links often lead to lookalike sites that harvest usernames and passwords. Not only does this put consumers at risk of financial fraud and identity theft, it can result in loss of personal data. Access to consumer accounts is highly profitable on the so-called dark web, where personal data is bought and sold.

These generalized scams can be convincing enough. Now, imagine how much more realistic a personalized scam can be. Spear-phishing campaigns take regular phishing one step further by customizing fake messages with precise personal data. This data could come from corporate data breaches, public social media posts, or even tagged images – anything the
scammer is able to learn about you from the internet.

Let's take a look at our example spam message, only this time in spear-phishing form. Again, you receive an email from your bank. Not only does this message look legitimate, but it even contains details specific to you. Perhaps it's the last digits of your checking account, or your
name, address or phone number. The message claims that you must respond immediately or suffer a penalty. Would you click?

More people are likely to fall for a personalized scam than a generic one. Spammers craft their messages to create a sense of urgency, warning of dire consequences if you don’t click the link right away. Instead of clicking the link, log onto the site directly or call your bank to verify your account status.

If you think your account’s been hijacked, and you can still log into it, change the password right away and disconnect any active logins besides your own. If you can’t access the account, contact site support.

Security experts also advise that consumers set up two-factor authentication whenever possible. Make sure that social media posts are set to “friends” rather than “public.” Avoid memes that encourage you to reveal details that might be used in security questions, such as your pet’s name or your high school.

• Triona Guidry is a computer specialist and freelance writer offering tech support, web design and business writing services. For computer help, visit her Tech Tips blog at www.lightningtechsupport.com.