What is spear phishing?

Spear phishing isn’t what you do when you’re on vacation in Hawaii. It’s a targeted attack on your personal information. An updated version of the old trick “phishing,” where scam artists simply ask you for your password or other private information, spear phishing takes this trick to the next level, using social engineering. Before you respond to that email asking for you to verify your address or other personal information, read this article to protect yourself against spear phishing.

What Is Spear Phishing?

Spear phishing effectively uses all the data that’s on the Internet about you to lull you into an inappropriate sense of comfort before attempting to get your personal information. Because this technique is so successful, it accounts for approximately 91 percent of all phishing in the United States today.

Think about it: How much about you is on the Internet? First, there’s all the stuff you post on social media, everything from where you grew up, to the name of your first pet, to your birthday. All of that is useful information for the spear phisher. What’s more, there’s all the apps you connect with on social media. We’re talking about things like “What City Are You?” quizzes on Facebook. Just about anyone can set up an app like that on Facebook and have the personal information rolling in.

Once the spear phisher has all this personal information about you, they send you an email. It doesn’t look like a normal piece of spam. In fact, it might look very much like an email from a friend of yours, or something specifically written to you from a company you do business with. They might even inquire about a purchase you recently made online.

How Do You Protect Yourself Against Spear Phishing?

Spear phishing might be more deceptive and savvier than the phishing of old, but a lot of the same kinds of protections apply, along with a little bit of common sense:

  • Never give out more information than you need to on social media. Always provide the bare minimum of information needed to sign up for a website.
  • On the same token, keep as much information as possible restricted. Most popular social networks allow you to customize your security settings. The tighter you make them, the less you’re giving a spear phisher to go by.
  • Don’t sign up for apps on social networks unless they’re absolutely necessary and come from reputable sources. Remember that even reputable apps are vulnerable to attack. Every new one you sign up for is a new opportunity for you to get hacked.
  • Use strong passwords and a different password for every website. Password management apps exist that will generate strong passwords for you, as well as store them together, meaning that you don’t have to remember all your passwords -- just one to unlock the app.
  • Always update your software, especially your Internet security suit and operating system. A spear phisher targeting you might only need a couple of points of data to pass along to a hacker to get into your system. You’ll make it just a little bit harder for them to get through when your applications are up to date.
  • Use common sense when responding to emails. That email you got from a friend might be from them, and probably is. However, if there’s anything suspicious about the email, shoot your friend a call or text before answering it. This is even more important when it comes to companies you’re doing business with online.

If you become a victim of a spear phishing attack, it can take weeks or months to get your Internet security locked back down. Still, by taking just a few common-sense precautions, you can make it significantly less likely that you’re going to become a victim.

Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Norton by Symantec is now Norton LifeLock. LifeLock™ identity theft protection is not available in all countries.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec logo, the Checkmark logo, Norton, Norton by Symantec, LifeLock and the LockMan logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the United States and other countries. App Store is a service mark of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution Licence. Other names may be trademarks of their respective owners.