Spear phishing scams are becoming all too common.  The scammers are getting smarter on fooling you and gaining your trust.  Giving personal information to the wrong person can be financially devastating to you.

This time it’s personal

First, we need to understand what’s the difference between a standard phishing attack and spear phishing attack.  A standard phishing attack is targeted at anyone the scammer can communicate with. Whereas spear phishing attack is aimed at a specific individual.  They’re specifically attacking you, it’s personal.

Who’s really calling?

If the attack comes by phone, the Caller ID display will be from a trusted source, likely your bank or credit union.  Scammers can easily ‘spoof’ any company or institutions’ number to make it look like they’re calling from that financial institution.

They seem to know a lot about you

In a typical spear phishing scam, the caller will identify himself as a fraud department representative of the bank and tell you that they’ve detected suspected fraudulent use of your credit card ending in 4567 and would like to stop those charges with your approval.

The caller will want to verify a few things before he proceeds with the rejection of the fraudulent charges to verify your identity.  They’ll ask you if you were born on a specific date and asked you if you attend a particular school. Of course, you’ll say yes, that’s me.  This is all information they can gather off social media. Just look at the information you’ve put on your Facebook profile.

Here comes the spear!

Then they’ll go in for the kill, they’ll ask you to please verify your Social Security Number.  This is the spear part of the attack. By this time you feel comfortable with the individual on the phone, he appears to be calling from your bank, he knows the last four digits of your credit card, your birthday, and where you went to school, so you give him your SSN.

You’ll likely hear a few clicks of buttons on his keyboard.  Then he’ll come back on the phone and tell you they were successful at reversing the fraudulent charges and thank you for your time.

What he’s really done is complete your profile by entering in your SSN.  Now the scammers have everything they need to rob you blind.

Flip the script on them

How do protect yourself from these sort of attacks?  Simply stated, all you need to do is thank them for notifying you and hang up.  Then pull out your credit card or ATM card and call the number on the back of the card and ask for the fraud department.  Now you’re calling a trusted source.

If it were a spear phishing attack, the bank would tell you there have been no attempts to charge of that nature.  If it was a real fraudulent charge, they’ll verify it and start the dispute process with you. In either case, you’ll have the peace of mind knowing you’re communicating with a legitimate representative of the financial institution.

Never trust an unsolicited caller and don’t give them any information

Never give any personal information out on an unsolicited call.  It’s impossible to know who's calling you. Chances are they could be up to no good.

You can learn more about spear phishing scams on the FTC Website