Go to:

March 2019
< Feb Apr >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

CUs Must Remain Vigilant to Avoid Spear-phishing Scams, Saylor Says
Wednesday, July 24, 2013 5:40 AM

Most likely you’re all too familiar with scams like phishing, vishing and smishing, but what about spear phishing? According to a recent FBI warning, many industries are now being targeted by well-tailored spear-phishing scams. Mike Saylor, vice president of technology for the Cornerstone Credit Union League, shares his insight on spear phishing with Leaguer readers.

Question: What is spear-phishing?
Saylor: Spear phishing is a focused phishing attack. Imagine that traditional phishing attacks are like throwing a net into the water with the hope that something is caught. The nature of this approach is very broad and unsophisticated. Now imagine that you can see your prey, you know what type of fish it is, how it moves and behaves and you are using a spear instead of a net. Spear phishing is just that, a target approach to attempting to fool a specific company or specific individuals within the company. 

Traditional phishing emails may be sent to hundreds of people and purportedly from agencies like the FBI issuing a subpoena notice, for example. Most likely, the majority of e-mail recipients are not involved with or concerned about pending litigation, so the scam may not have great success. Now consider the same fake subpoena notice being sent to the chief legal counsel at a company recently featured in the news as being part of some sort of legal action. The chief legal counsel will likely open this fake email.

Question: Who are prime targets of spear-phishing?
Saylor: Spear phishing is an email attack that targets specific companies and/or specific individuals within target organizations that attackers believe will result in a high probability of response. Response varies from simply opening the email, which may be infected with malware, believing the email and establishing some level of legitimacy for future emails, and/or getting the reader to click a link that will take them to a malware infected website.

Question: What are the fraudsters after?
Saylor: The fundamental purpose of all phishing attacks is to obtain information, either through communication with the target or by capturing a user’s keystrokes after infecting them with malware.  Primarily, they are after passwords so they can gain access to your company’s data, but targets could also include your email contacts in the event you are just a stepping stone to their true target.

Question: Is this a relatively new scam? Has it evolved from phishing and vishing?
Saylor: Spear phishing is not a new attack and several security organizations (e.g. Symantec and the Anti-Phishing Working Group) track reported occurrences. In 2012, for example, one in every 414 emails (approximately 39 billion emails globally) were phishing attempts, according to Symantec’s 2013 Internet Security Threat Report. Spear fishing did evolve from mass phishing attacks, as attackers became more focused on specific target and specific objectives.

Question: What can credit unions do to protect themselves, their staff and members from spear phishing?
Saylor: Credit unions must remain diligent when opening their emails, opening attachments, and clicking links contained in emails. Spear phishing emails look very legitimate but there are a few telling signs that they are fake. Here’s what to look for:

  1. Look at the sender’s email address, not just the name but the actual email address. Is it related to the subject of the email?
  2. Grammar and spelling mistakes. Legitimate organizations will make sure that emails look professional and are written in the language of their customers.
  3. Do not click on the link contained in an email. The displayed text of a link can be manipulated to fool you. It may say, but actually take you to
  4. Does the email make threats like your account will be disabled or you will be sued, etc.?  Legitimate companies will ask you to contact them to have this type of discussion.

Contact information should be questioned.  Always use the contact information you have or can obtain from the company’s website.  This may take a few extra minutes, but it is worth being safe.