Spear phishing – what is it?
Six weeks ago, a young woman who was in a meeting at work received a message. The Facebook message from a distant friend read: “Hey babe,” and initially seemed innocent.
After a brief chat, the friend asked Zeb (not her real name) if she would vote for her in an online modelling competition. Zeb agreed and registered her email to vote for her friend.
But after an alleged technical glitch, the friend contacted Zeb once again and told her that she needed her email log-in and password to fix the problem and restore her votes which had been lost.
Unsure at first, Zeb agreed after pressure from her friend. However, it was not her friend she was talking to, instead she had become a victim of a technique known as spear-phishing.
Within minutes, the information given was used to gain access to Zeb’s accounts, including her Apple iCloud which not only included personal data such as copies of her passport and bank details, but also some explicit private photographs.
Zeb was contacted via telephone by a man with a Pakistan area code who attempted to blackmail her into performing a sex act via webcam, otherwise he would post all the explicit pictures onto her Facebook which he now had taken control of.
It was only Zeb’s strong will and the help of her family and friends that they managed to close her Facebook within 15 minutes of the pictures being posted. However, the damage had already been done and the pictures had been seen by some of her contacts including friends and work colleagues.
How could Zeb have prevented the spear-phishing attempt?
The obvious answer is that she should not have given her email to the person posing as her friend. Spear-phishing prays on people’s trust to gain access to their personal details. At the point that the ‘friend’ requested email log-in details this should have raised alarm bells.
If you find yourself in a position where you think you may have been a target for spear-phishing, or any other Data Protection breach, consider hiring a private investigator. They can confirm the validity of any request and look to track down the perpetrator to bring them to justice.