Click any word in a definition or example to find the entry for that word
phishing (= the criminal activity of tricking people into giving personal information by directing them to a fake website) aimed at a specific person or group, usually by sending an email which has been made to look as if it comes from someone that the recipient knows
'According to experts, hackers have been using the personal information LinkedIn users give to the site and other similar websites to then send emails that appear to come from trusted sources or colleagues …The tactic, known as spear phishing, has also been used in some high-profile breaches, including an attack in 2011 on Google's Gmail service.'Central Florida News 13 19th March 2012
'Social media tools are a great way for users to share information – and a great way for a spearphisher or whaler to target someone…'Osterman Research Blog 8th March 2012
Any regular Internet user will at some point, either knowingly or otherwise, have released a degree of personal information about themselves, whether it's in the process of buying something or simply by dint of their browsing habits. Unlike a trail of footprints, this information isn't something that fades away easily, and so the web's cavernous data store holds enduring snippets of information on our identity and contact details. Inevitably there's always the potential for this information to be used in unscrupulous ways, and one of the latest developments in this respect is an activity known as spear phishing.
a spear phishing email might purport to come from a friend or colleague, or attempt to relate to the target's known interests
Spear phishing is based on the earlier concept of phishing, which occurs when people are sent an email designed to trick them into divulging security information – passwords, usernames, answers to security questions etc – which will enable the perpetrator to steal money, collect sensitive information, or engage in other kinds of fraudulent activity online. The email received by victims usually directs them to some kind of website inviting them to enter their personal details and which, though appearing to be from a trusted source, is in fact fake. Whilst phishing is usually a random activity, instigated by any kind of hacker and directed at an unspecified, often extremely large group of web users, spear phishing is a more carefully planned attack. In the activity of spear phishing, a specific individual or group of people are identified in advance, and targeted through an email which has been individually crafted to convince the victim(s) of its legitimacy. A spear phishing email (also known as a spearphish) might purport to come from a friend or colleague, or attempt to relate to the target's known interests. Perpetrators, now referred to as spear phishers, often exploit social media tools to profile a person and pick up on bits of information which can be used to make emails sound convincing and more likely to be opened and acted upon. For instance, if in my Facebook page I'd enthused about my recent holiday to Paris and posted photos and comments about my holiday activities, a spear phishing email could be constructed with a subject line such as "We mistakenly overcharged you during your stay at Hotel Gare Du Nord"…"Refund on your ticket to the Louvre", or some such. An email which appears to relate specifically to me and my goings-on in life is far more likely to grab my attention and not be immediately discarded as a random bit of spam.
The activity of spear phishing hit the headlines in February 2011, when it was revealed to have been used in targeting the Google mail accounts of US military and government officials. They received a message which appeared to contain a document entitled "Draft US-China Joint Statement", but the corresponding link actually directed them to a fake login page designed to snatch their passwords.
The term spear phishing further develops the metaphor underlying the term phish(ing), which first appeared in the mid 1990s and is based on a deliberate misspelling of the word fish in its verbal sense of 'to try to make someone tell you something without asking them directly'. The analogy of 'trying to catch fish' is also carried over, so that phishing emails are often described as bait, and discussions of the activity might include references to phishing expeditions, phishing lines, and being caught/hooked by a phish. Spear phishing extends the analogy further by likening the targeted attacks to the use of spears and harpoons to catch a particular fish. Another extension of the metaphor is the use of the terms whaling and whaler to refer to phishing attacks aimed at senior executives and other high profile targets.
Read last week's BuzzWord. chillax.
This article was first published on 4th June 2012.