Phishing/Spear phishing

What is "Phishing"

Phishing attacks are a means to persuade potential victims into divulging sensitive information such as credentials, or bank and credit card details. They involve a combination of social engineering and deception. The attack usually takes the form of SPAM mail, malicious Web sites, email messages, or instant messages, appearing to be from a legitimate source such as a bank, or a social network. The attackers often use scare tactics or urgent requests to entice recipients to respond, and these fraudulent messages are usually not personalized and may share similar generic properties.

What is "Spear phishing"

Spear phishing is a more sophisticated and elaborate version of phishing. It targets specific organisations or individuals, and seeks unauthorized access to confidential data. Just like in standard phishing, spear phishing attacks impersonate trusted sources. Moreover the attacks are personalised, and tactics such as sender impersonation are used.

Attackers may use public information found on social media sites such as LinkedIn or Facebook and personalize their message or impersonate users so that the spear phishing email is likely enough, and the targeted users feel compelled to react to it.

Recognising phishing

(Spear) Phishing takes the form of unsolicited, bold messages: they can seem too good to be true, or are just unexpected. Be wary of any unsolicited message about online accounts. Language is often overly formal, or full of spelling errors.

Some examples:

Reacting to phishing

Never answer a message that appears to be phishing. Rather, try to take contact with either your bank, web site, or IT department yourself. In all cases, never follow links from an unsolicited message, but rather use bookmarks or type the web site's address yourself. When in doubt, ask a professional.