• United States



by Senior Editor

4 spear-phishing hooks for the holidays

Nov 14, 20115 mins
CybercrimeEmail ClientsHolidays

Expect some of the typical phishing lures to be cast this year, but more targeted 'spear-phishing' twists raise the potential for damage


Spear-phishing is a kind of social engineering trick aimed at a specific victim, whether that’s an organization or an individual.

A spear-phishing message might include not only the recipient’s name but also other specific information (mentions of friends by name, departmental references) that helps personalize it and make it believable. Spear-phishers can draw this information from social networks or other public sources.

This tactic differs from old-school phishing’s broad messages aimed at whoever would take the bait. (“Dear Sir—I would like to enlist your help in retrieving my inheritance from Nigeria…”)

Cybercriminals are increasingly abandoning the technique of casting a wide net by blasting thousands of email accounts with a phishing scam. That’s not nearly as lucrative as a spear-phishing attack, which might take more work, but has the potential for a much bigger payoff, according to Rohyt Belani, CEO of phishing-awareness-training company PhishMe.

“The kind of phishing attacks that are working now involve targeting specific employees at an organization,” said Belani. “Every major breach we have heard about this year has been initiated by a targeted phishing attack—be it RSA, Epsilon, numerous defense contractors, Oak Ridge National Laboratory and on and on.”

[Also read Social engineers’ 9 favorite pickup lines | and 5 more]

Belani said spam filters are doing such an effective job of siphoning out bad emails, that criminals are now tailoring their messages to get around these filters, which can detect high volume and mass-blast emails. Instead, phishers now choose just five or six employees, and strike.

“The normal employee at an organization doesn’t think hackers would target them,” said Belani. “As we saw in the RSA scenario, only 4 people received that email, none of them high-profile employees.”

With that said, the holidays are full of potential scenarios that phishers may try and exploit. Here are four lines spear-phishing phonies are likely to cast these next few weeks in the hope of getting you to bite.

“Kick off your holiday shopping with this 10% off coupon for any store at [your local mall]”

The coupon or discount is not a new tactic, but the addition of an actual mall right near you is, said Belani.

“Around the holidays, phishing emails appeal to the desire to get deals,” said Belani. “It may be a coupon for a Black Friday sale, for example, but it will have the added detail of mentioning a local store or mall to make it more believable.”

Belani suggests skipping any links or downloads that claim to have a coupon or discount code and going directly to the web site for the store or the mall. If there is a coupon, get it directly from their web site.

“If they are sending it on email, it is going to be on their web site as well,” he said.

“[Your company] thanks for your hard work this year and invites you to enter our holiday raffle”

Expect phishers to try and snare you with end-of-year give-aways and contests, said Belani. In this scenario, the email looks believable because it appears to be from your employer, who is offering you a chance to win something as part of an employee holiday raffle.

“It will claim the company is giving away something like a $500 AMEX card in a raffle,” said Belani.


There’s a simple underlying strategy in most scam-prevention tactics: Always verify!

The fire inspector is poking around your office? Great—that’s his job—but call the fire department and verify his name and whereabouts.

Email says there’s mold in your building? Find the facilities manager and double-check. Print a copy of the email and show it to her.

You can always double-check anyone’s story. Just smile politely, blame “company policy,” and get someone on the phone.

Rather than click and start filling out your information, get up and go ask around. Don’t ask others if they got the same email; they may be targets, too. Your best source, of course, is HR or whoever is in charge of organizing these kinds of company-sponsored contests and events.

“A year-end inspection has turned up mold in offices in our building at [your work address]”

Belani said PhishMe analyzed phishing scenarios that employees where likely fall for and found that tactics that instill fear in the message receiver were slightly more successful than those that used a “greed” motivator, like a discount, coupon or contest.

In this scenario, phishers are hoping that by mentioning your building, they can get you to click on a Word document, or other attachment, to find out if your specific office is affected by this alleged “mold discovery.”

“People don’t pause and say: ‘Would facility security do this?'” said Belani. “This touches off a slight sense of fear and the person thinks: ‘I better figure this out.'”

In this kind of situation, Belani recommends seeking out other notices on the news. Is there a posting on the break room bulletin board, for example? If that fails to turn up information, get on the phone.

“Call someone in the department that sent the email and ask: ‘Did you send me this document?'” said Belani.

“[Your company] is migrating its payroll system before the end of the year. Please enter your updated information to avoid interruption of your direct deposit.”

Another fear-based scenario, Belani said, this is particularly effective during the holidays when concern about finances is high. The fear that you might not receive your paycheck some Friday causes employees to do whatever they are told to do to prevent it from happening.

“We need to listen to authority, but sometimes it takes over our mindset,” said Belani. “I’m not saying we need to be suspicious about everything, but we need to be slightly suspicious.”