Spearphishing Takes Spam to a New Level

The Ripoff Alert is a new series appearing once each week on Fridays. It alerts you to the latest scams and ripoffs trying to get between you and your money, and gives you information you need to stay safe. This is #16 in the series. 

Are you sure the email you’re about to open is legitimate?

Cybercriminals are ramping up their efforts by assuming the identities of legitimate companies and government agencies. They are deploying specific, targeted email attacks and taking identity theft to a new level in the process.

Criminals are moving away from blasting out millions of generic spam emails asking for your credit card number and are turning to a method that’s proven to be more effective.

By stealing company logos, email addresses and even exact copy from company websites, they’re able to make it appear the email is coming from the actual company. In a previous Ripoff Alert I talked about criminals who had hijacked Facebook’s identity and sent fake emails saying you’ve been tagged in a photo. Facebook isn’t the only victim in this scam; other well-known companies include Paypal, Amazon and even the IRS.

Consumers are used to interacting with businesses on the web and through email, so we don’t think twice about clicking links in emails that look like they come from a well-known business. But if you click a link in these emails, malware is installed on your computer that sits in the background and waits for you to enter sensitive information. It then captures your passwords and sends them back to the criminals.

Getting these emails to look real requires a lot more work than traditional phishing attempts, but the potential payoff is much greater. Just like savvy email marketers, they find ways to personalize the emails.

I found this interesting graphic from Smart Money, which compares traditional spam with spearphishing:

Notice that the “value per victim” is 40 times more with spearphishing. They may spend $8,000 more upfront, but that’s a rounding error compared with their increased profit.

What all of these fake emails have in common is urgency. You must act now or your tax return won’t be accepted, your Amazon order won’t go through, or you won’t be able to see the error Bank of America found with your checking account.

If you’re going to protect yourself online, you need to change the way you think about email. Even if you recognize the company and it’s one you regularly do business or interact with, you cannot continue to mindlessly open the email and click through. You need to stop and ask yourself: Am I sure this really came from the sender?

If you’re even the least bit unsure, find a new way to do what they’re asking. Open a new tab and log into the website yourself. Call the company to see if they really need anything from you. In the case of the IRS, they will never initiate contact with taxpayers through email.

It’s a lesson worth repeating: Think before you click and you’ll stay out of trouble.

One thought on “Spearphishing Takes Spam to a New Level

What do you think?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s