What is Spear Phishing?

elderly woman in light pink shirt holding a phone and looking at a card

The Equifax data breach has sparked renewed concern over phishing scams that use the data theft as a pretense for tricking victims out of personal information. There's also reason to be extra vigilant about a more insidious twist on the phishing ploy—a variant known as spear phishing.

Spear phishing occurs when scammers use personal details to tailor the emails, text messages, or phone calls they use to swindle victims.

Social media is a prime resource for spear phishers. Frank Abagnale, the reformed identity thief portrayed by Leonardo DiCaprio in the movie "Catch Me if You Can," emphasizes this in his ongoing crusade against a ploy known as the "grandparent scam."

In that spear-phishing con, a criminal learns the name of a target's grandchild and, posing as a police officer from the town where the teen lives, demands immediate payment of bail to keep the kid from spending a weekend in jail. (See also: Scams Targeting Seniors: What to Know and How to Protect Yourself)

Financial information is harder to come by than the names of family members, but the recent theft of millions of Social Security numbers and credit card numbers may change that. Armed with that data—and possibly with tax records and credit reports stolen using that data—spear phishers can make their messages highly specific and seemingly authentic: Think of a bogus email from the IRS that specifies the amount of last year's tax refund, or a scam call from a credit card issuer who can reference your last monthly payment amount. Details like those can make criminal communications highly convincing.

Deflecting the Spears

Awareness is the first shield against spear phishers. When you know what's possible, you can watch out for them. Here are a few more guidelines for detecting and avoiding spear phishing scams:

  • Be skeptical of extreme urgency. Scammers often demand quick responses to their communications, warning of dire consequences if you don't immediately click on a link, issue a payment, etc. If a message applies that kind of pressure, take a breath, do nothing, and double-check the content. (If a phone caller is leaning on you, claim an emergency and tell them you'll call back; they'll likely hang up and move on.)
  • Get it in writing. Government agencies won't use electronic communications to seek funds. Courts and agencies such as the IRS will send you official notices by snail mail. If you're unsure of the identity of a person seeking information (or payments) from you, tell them to mail you their request.
  • Second-guess caller ID. Caller ID is relatively easy to hack, especially for criminals sufficiently organized to research targets individually. Callers may not be who they seem to be.
  • When in doubt, check. Forward any suspicious email (without clicking any links) to the company or agency that's being impersonated. If the scammer calls, use a published number for the company or agency in question, and call with the relevant info. Cooperate as appropriate to help them track the communication back to its source.

Ultimately, the best safeguard against spear phishing is to protect the personal data that enables it. Be mindful of the information you share on social media, consider limiting access to those accounts to "friends" (not the public), and give some thought to identity theft protection. Spear phishers use information about you to induce panic and anxiety. Stay aware and calm, and don't take the bait.