Hackers Go Phishing, Not Fishing

By: Roland Guillen - Partner
Warren G. Bender Co.

Imagine the following:

  • During tax season, your accounting clerk opens an email asking: “Please send me W-2’s for all employees in the production department. I need this info ASAP. Thank you very much!” The name on the email is the comptroller’s, so the clerk sends the information. But the email was not from the comptroller – it was actually from a cybercriminal, and the W2’s are now for sale on the dark web.
  • A cybercriminal took the identity of one of your customers, placed an order with you, and you shipped the order. Before shipping the order, you finalized payment terms, requested updated banking references and confirmed the shipping address. The goal of the hacker was to get the products delivered to their address without paying for them.

With every cyber-attack, it becomes increasingly clear that no one is safe from data breaches or cyber extortion. Whether you are an employer that stores proprietary data or an individual with financial and personal information at risk, hackers won’t rest until they have what’s yours. And their tactics continue to evolve.

Cyber criminals have a variety of tools and techniques at their disposal, including malware, ransomware and disrupted denial-of-service attacks. One of the most common and difficult-to-spot strategies hackers use is phishing scams, which require minimal technical know-how and can be deployed from anywhere in the world via a simple email.

In broad terms, phishing is a method cyber criminals use to gather personal information. In these scams, phishers send an email or direct users to fraudulent websites, asking victims to provide sensitive information. These emails and websites are designed to look legitimate and trick individuals into providing credit card numbers, account numbers, passwords, usernames or other sensitive information.

With every opened email, users risk becoming the victim of monetary loss, credit card fraud and identity theft. What’s more, successful phishing attacks oftentimes go unnoticed, which increases the risk of large and continued losses, particularly for businesses.

Phishing is becoming more sophisticated by the day, and it’s more important than ever to understand the different types of attacks, how to identify them and preventive measures you can implement to keep your company safe.

Phishing vs. Spear Phishing

Often, the terms phishing and spear phishing are used interchangeably. However, there is a key distinction between these two types of attacks, and it’s important to have some basic knowledge.


Phishing is a general term that refers to any cyber-attack where a hacker disguises themselves as a trusted source in order to acquire sensitive information. Typically, under traditional phishing attacks, hackers send fraudulent, malicious emails to as many people as possible. It’s not unusual for phishing attacks to target thousands of individuals at once in the hopes of netting just a few victims.

Phishing attacks take a quantity over quality approach. Despite the randomness of the attacks, phishers can gain highly sought information on their victims through mass, easy-to-reproduce emails. The goal of these emails is to compromise data or a larger network through the greatest cyber security vulnerability of all—users themselves. Effectively, instead of going through the hassle of breaking strong, digital defenses, hackers use phishing attacks to trick someone into giving them access to a network or data.

To fool the victims, attackers customize phishing emails to make them appear legitimate, sometimes using logos or dummy email accounts to improve the effectiveness of the attack. Usually, phishers will pretend to be a trusted source, like a hospital, bank or employer. The phishing message will likely include alarming or suggestive language to fool victims into:

If a victim does any of the above, the hacker can infect their computer and steal sensitive information, often without having to use a single line of code.

Spear Phishing

While phishing attacks are effective, they are designed to be broad and affect as many individuals as possible. As a result, they are generally written vaguely and are easy to spot. Spear-phishing attacks are much more convincing, targeted and sophisticated.

With spear phishing, cyber criminals narrow down the scope of their attack to a smaller group, sometimes just a handful of individuals. By doing this, hackers can do research and make the phishing email much more convincing based on a victim’s profile or online activity. Malicious hackers can find most of the information needed to carry out a spear-phishing attack right on the internet, particularly on company websites and social networking sites. It’s not uncommon for phishers to use a target’s personal information (e.g., name or address) or the personal information of their friends, family and colleagues as leverage in an email.

Because spear-phishing attacks are highly customized, they are far more likely to succeed than traditional phishing attacks. What’s more, spear-phishing attacks often have specific goals. For instance, a phisher may target certain individuals based on whom they work for, the type of information they have access to or their financial status.

Spotting an Attack

When it comes to identifying phishing scams, it’s better to be overly cautious. While recognizing fraudulent emails and websites can be difficult, depending on the type of attack and the creativity of the phisher, the following are some questions to ask yourself whenever you receive a suspicious email:

  • What time was the message sent? You can tell a lot about the authenticity of an email based on when it was sent. For instance, an email sent at 3 a.m. would raise more flags than one sent during normal business hours.
  • Do I know the sender? It’s a good idea to look closely at who sent a particular email. Ensure that the “From:” field matches the sender’s name. If an individual claims to know you and you don’t recognize them, chances are the email is spam.
  • Do the URLs match up? Advanced phishers create fake domains to mimic larger, more established companies. For instance, a cybercriminal may send you an email hoping to redirect you to a phishing website. This website will have a convincing URL that’s only slightly different from the original website, like www.bestbuy1.com or www.1target.com.
  • Does the content match the subject? Read the email carefully. If the subject line is vague or does not seem to relate to the body copy of the email, it could be a fake. Subject lines may appear aggressive or urgent. Many times, these subject lines are written with strange capitalization and punctuation. The following were the subject lines of the most clicked phishing emails in recent years:
    • a. Security Alert
      b. Revised Vacation & Sick Time Policy
      c. UPS Label Delivery 1ZBE312TNY00015011
      d. BREAKING: United Airlines Passenger Dies from Brain Hemorrhage – VIDEO
      e. A Delivery Attempt was made
      f. All Employees: Update your Healthcare Info
      g. Change of Password Required Immediately
      h. Password Check Required Immediately
      i. Unusual sign-in activity
      j. Urgent Action Required
  • How is the grammar and spelling? Large companies dedicate time and money to their communications. Because of this, spelling and grammar mistakes in legitimate emails from global brands are rare. Be sure to read emails carefully and be wary if there are consistent, glaring errors.

Avoid Becoming a Victim

The following are some other tips to avoid becoming the victim of a phishing scheme:

  • Be overly cautious of suspicious emails, deleting them immediately. Be particularly wary of emails that
    • Come from unrecognized senders
    • Ask you to confirm personal or financial information
    • Aren’t personalized
    • Are vague
    • Include threating, frightening and persuasive language
  • Never enter personal information or click links in a pop-up screen.
  • Avoid emailing personal or financial information, even if you think you know the sender.
  • Hover over and triple-check the address of any links before you click them.
  • Avoid replying to the sender if you suspect an email is malicious. If you recognize the individual or company sending the suspicious email, follow up with them offline to ensure they meant to contact you.
  • Report the attack to your employer and the FBI’s Internet Crime Complaint Center.
  • Verify a website’s security. Legitimate websites will have a URL that begins with https, and you should see a closed lock icon somewhere near the address bar.
  • Keep your browser up to date and use firewalls.
  • Run anti-virus and anti-malware software on a regular basis. Reputable venders include McAfee, Symantec, Malwarebytes and Avast.

Additional Considerations for Employers

While the above prevention tips are important, there are additional concerns for employers. A company could have the most top-of-the-line cyber security measures and still fall victim to phishers. Just one employee opening a malicious email can compromise an entire network. To protect themselves, businesses need to do the following:

  • Implement a data protection program. Train employees on common phishing scams and other cyber security concerns. Provide real-world examples during training to help them better understand what to look for. Better yet, test your employees by sending fake Phishing emails to see who identifies it and follows company protocol, or opens it. Our company implemented an employee training program to help us better recognize Phishing attacks.
  • Filter emails and websites.
  • Have employees use unique usernames and passwords. In instances where employees share credentials, hackers can cause major damage to your business simply by compromising one employee.

Get Informed, Stay Protected

Cyber-attacks, including phishing schemes, aren’t going away. In fact, they’re becoming more sophisticated. It’s no longer enough to simply install anti-virus and anti-malware software. To truly protect yourself, it’s crucial to stay informed on the most recent cyber-attacks and up-to-date protection strategies.

In addition, review your Cyber Liability or Crime Insurance Policy to determine if coverage exists for Social Engineering. Social Engineering Fraud Endorsement provides added protection when strong controls still fall short.