Skip to main content

How to avoid getting stung by a spear phishing scam

Data breaches at major firms are becoming an increasingly common phenomenon these days, frustratingly for users who may have their personal details, passwords and other secure data stolen through no fault of their own.

One thing that hackers can do with such stolen information is use the wealth of personal data they’ve got hold of to create a phishing email which is much more convincing – it’s more believable because it contains, say, your name and address. This kind of directed attack is known as “spear phishing,” and is also becoming more common. Here’s what you can do to avoid getting speared and fooled into revealing even more vital data such as your credit card number, for example.

Eternal vigilance

Vigilance is the key to staying safe from a spear phishing attack. Don't let the presence of familiar personal information in a message lull you into a false sense of security. Here are some examples:

Just because a message includes your home address doesn't mean it's valid. In fact, legitimate mail from a bank or vendor generally shouldn't include this information, unless it's a notification of shipping to that address. You might be surprised how easy it is to get anyone's home address using readily available tools.

Similarly, the presence of your home phone number in a message means nothing. In addition to people-lookup websites, there's always the phone book.

Only the vendor knows your website password, right? So a message containing the password and a warning to change it must be valid? Wrong! A legitimate vendor would never send your password in email.

An email message containing your national insurance number (or the last four digits) should be scrutinised carefully. That information isn't terribly hard to obtain, and once again a legitimate sender wouldn't expose it in an email.

The fundamental things apply

The main point is, you shouldn't automatically trust any email message. Here are some fundamental rules that apply even to email messages that look legitimate because they already have some of your personal information. Here they are:

Don't click links in email purportedly from your bank. If the message warns of an account problem that needs your attention, launch your browser and go directly to the bank's site.

If you're at all suspicious of a link in an email message, hover the mouse over the link, and check the destination URL. A link URL that doesn't match the link's stated destination is a big red flag.

Pay attention to the URL in the browser's address bar. Many phishing sites don't even try to use believable URLs. Others use warped versions of the true URL, perhaps or If the URL looks wrong, leave the site and enter the real URL by hand.

Don't register your details. Yes, you can save time on some vendor websites by registering with your credit card and other personal details, so you can use them next time. But that puts your data at the mercy of any hacker who breaches the vendor's security.

Use a password management tool. An app such as LastPass will store all your login credentials. The utility will automatically fill in your credentials at the correct website, but not at a fraudulent copy of the site.

Install a security suite that includes effective phishing protection. You should have a decent security solution on your machine – Kaspersky and Bitdefender both score well in terms of phishing protection (and general protection, for that matter).

Data breaches gives the bad guys ammunition for phishing attacks. Phishing attacks in turn can cause new data breaches. It's a vicious cycle that will only stop when all of us start paying attention.