This story has been sourced from Hindustan Times.
On November 18, a businessman from Powai, Mumbai, received an email that looked like it was sent by a close friend. In the email, the friend informed that he is stuck somewhere and that he needed an urgent loan of ₹5.8 lakh to be transferred into his bank account. Believing the email to be genuine, the businessman did as he was told. And later when he called up his friend to confirm the transfer, he realized that has was robbed.
An FIR has been filed with the local police station. The police officer investigating the case told HT: “The fraudster did not give any specific reason for the loan. He just said that he was in urgent need of it.” When asked if the friend’s email id had been hacked into or a similar duplicate id had been created for the fraud, the officer said: “We are not aware of this. We are taking the help of cyber police officials for it.”
This incident is a classic case of what is known spear phishing. What is phishing? Phishing is a fraudulent activity where a fraudster tries to trick people into revealing their sensitive and confidential information such as credit/debit card numbers, bank account details, login ID and passwords, etc. And when a phishing attack is targeted towards a specific person or organization, it’s known as spear phishing.
This is how most spear phishing attacks work?
• A scammer first acquires specific pieces of details of their target like who their friends are, where does the target stay, their employer, locations, any online store they recently visited, etc.
• Using the above details, the scammer disguises themself as a trustworthy entity and sends personalized emails to the target.
Spear phishing emails are highly targeted because they contain information that only pertain to the victim they are sent to.
• These emails might contain a link to a fake website, an attachment hiding a virus or simple instructions like the one mentioned in the case of the Powai businessman.
How to protect yourself from spear phishing attacks?
• Avoid posting your personal information online. And even if you should, ensure it is only visible to people you trust.
• Never respond to emails that carry a sense of urgency and asks you to take an action like clicking on a link, downloading an attachment or calling on a phone number.
• If you receive an email that sounds urgent or important, call up the sender and verify the situation first – just like what the Powai business should have done in his case.
• Be extra cautious with emails that talk about money or your bank accounts.
• Use an antivirus that automatically restricts access to phishing websites.