WiFi Finder

Locate wireless services by a specific address, city, state, country, airport, or zip code.

Get Connected Now

RSS Feeds

Get our latest content via convenient RSS feeds.

See All RSS Feeds

Become a PCW Member

Join the community and start enjoying the benefits:

Get tech advice from thousands of PC World Members
Rate and recommend the latest tech products
Share your thoughts in blog and article comments
Get free excerpts and exclusive discounts on Super Guides

Signing up is free and easy.

Threat Alert: Spear Phishing

Targeted e-mail attacks try to lure you in with specific, convincing messages.

Erik Larkin

With HP wireless printers, you could have printed this from any room in the house. Live wirelessly. Print wirelessly.

Illustration: Headcase Design

"After three unsuccessful attempts to access your account, your Online Profile has been locked. This has been done to secure your accounts and to protect your private information. You may unlock your profile by going to: ..."

Sounds like a normal phishing e-mail, right? But what if the e-mail seemed to come from the head of IT at your small business, warning about your company account? Would you click the link?

Today's phishers hope so. In fact, the excerpt above didn't appear in the usual global barrage of e-mail sent out to catch recipients with eBay or PayPal accounts. Instead, it went exclusively to students and faculty of the University of Kentucky as part of a directed, or "spear-phishing," attack against the small, 33,000-member university credit union this May. Another widely reported incident involved an Israeli company that used spear-phishing techniques to install spyware on PCs at the office of one of its competitors.

According to Peter Cassidy, secretary general of the Anti-Phishing Working Group, spear phishers act much like marketers, crafting a message and then directing it to just the right people.

These targeted attacks make better use of social engineering to trick people who are tuning out the widespread spam of typical phishing attacks, Cassidy says, but who might not expect an e-mail aimed at a smaller company or organization.

Expect it: According to IBM's Global Security Index report, intercepted spear-phishing attempts exploded from a mere 56 instances in January to more than 600,000 cases in June.

Protect Yourself

Be skeptical: No matter who the e-mail is from, if it concerns account information, don't trust it outright.

Make a phone call: If you receive an e-mail you find suspicious in any way, call the named organization.

Don't click suspect e-mail links: Instead, navigate to the company's home page on your own.

Try the NetCraft toolbar: This antiphishing utility can warn you of suspicious sites.

See the Complete Special Report
The New Security War: In this Special Package
Best Defenders and Spy Sweeper Leads the Field (chart)
The Hidden Money Trail
Privacy in Peril
Is the Net Doomed?
Threat Alert: Spear Phishing
Threat Alert: Antivirus Killers
Threat Alert: Instant Messaging Attacks
10-Step Security
Security by the Numbers
More Security Resources on the Web

Also See Our In-Depth Online Series
Web Of Crime