Wheaton College Norton, Massachusetts
Wheaton College

Email Fraud! Spear Phishing?

Posted on November 18, 2013

Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information.

As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority.

Most people have learned to be suspicious of unexpected requests for confidential information and will not divulge personal data in response to e-mail messages or click on links in messages unless they are positive about the source. The success of spear phishing depends upon three things: The apparent source must appear to be a known and trusted individual, there is information within the message that supports its validity, and the request the individual makes seems to have a logical basis.

Here's one version of a spear phishing attack: The perpetrator finds a web page for their target organization that supplies contact information for the company. Using available details to make the message seem authentic, the perpetrator drafts an e-mail to an employee on the contact page that appears to come from an individual who might reasonably request confidential information, such as a network administrator. The email asks the employee to log into a bogus page that requests the employee's user name and password or click on a link that will download spyware or other malicious programming.  If a single employee falls for the spear phisher's ploy, the attacker can masquerade as that individual and use social engineering techniques to gain further access to sensitive data.


  • If you receive such a request and did not share any personal or account information, GREAT... you are safe. If you shared personal or account information through the website or text message, or over the telephone, call your bank or credit card company ASAP and tell them what happened.
  • DELETE these emails ASAP.
  • Always have up to date antivirus/antimalware protection on your computer
  • Make sure your computer’s operating system is up to date
  • NEVER give this information to anyone, especially through EMAIL
  • When in doubt… ask someone! Call Tech Support at 508.286.3900!
  • For more information please read this article in TechRepublic

Comments are closed.