We’ve been “spear-phished”!

Or… we were the recipient of an attempted spear phishing attack, but were informed enough to recognize the traits. What is “spear phishing”? As defined by the security folks at Norton, “Spear phishing is an email that appears to be from an individual or business that you know. But it isn’t. It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC.”

Designed to look like an email request from a know sender, a request is made to transfer money, or provide bank information from a person in the know in your organization. In our case, the email above was received by our financial coordinator, Shaun Mullaly. Note that while the name looks like it was sent from me, the return address was not from a company address. Shaun immediately smelled something fishy (pun very much intended) and emailed me on my work account to verify whether or not the email above was legit. Of course, it was not.

This event reinforces that the greatest IT security tool is user education. This is electronic pan-handling – a stranger, posing as a friend, asking for money. Having seen these requests before, if Shaun were to have replied “sure, what do you need?”, I’m positive the reply would have been to provide account info or to route money to a fraudulent account. Beware of email attempts from unknown sender addresses looking for money transfers or bank account information. A healthy dose of skepticism is your best defense.