Cybercriminals Target Computer Users With 'Spear-Phishing' Messages

Listen to the UVA Today Radio Show report on this story by Marian Anderfuren:

September 28, 2011 — The Nigerian prince – the guy who wanted you to transfer $5,000 to him now and he would split a fortune with you later – has to share online space now with more sophisticated "phishers" who masquerade as your IT or human resources department and address you by name.

The goal, however, is the same: To trick you out of money and personal information, so as to invade your computer or network.

Don't be fooled, said Karen McDowell, information security analyst in the Information Security, Policy and Records Office at the University of Virginia. "If you think it's suspicious, trust your gut," she said.

The technique is called "spear-phishing," a variation on the practice of sending mass generic fake emails that "phish" for your personal information and or money. Spear-phishers "do their research," McDowell said. "They learn what's important to a group or a company, and when you receive a message, you might think, 'That's what we've been talking about.'"

In conjunction with National Cyber Security Awareness Month, U.Va. is offering a series of free cybersecurity workshops starting Oct. 4 in Newcomb Hall. Participants will learn how to protect their data, identity and computers. Registration is not required, and door prizes will be awarded. (For the schedule, click here.)

The theme is "Stop. Think. Connect." We can avoid most online scams, McDowell said, by not being so quick on the mouse button. Rather, take the time, for example, to make sure your IT or HR department really did send that email.

Bad grammar and spelling used to be a giveaway of phishing emails, she said, but now the cybercriminals have hired grammarians to edit their work. They may also include authentic links to the companies they purport to represent to add an air of legitimacy.

Cybercriminals have a variety of motivations, McDowell said. "To use a war metaphor, they can establish a beachhead in your company, and from there they can do a lot of damage: steal intellectual property, personal accounts, credit card information and personally identifiable information."

Home networks are particularly attractive, she said. "The average person using a computer at home isn't trained to look for this stuff. Once a phisher drops a virus into a home computer the virus can sit on your home network, wait until something attractive goes by, and grab it."

Question any email, she said, that conveys a sense of urgency, like "You must log in now to protect your account or maintain your access." Emails with attachments are also suspicious, particularly .zip files that can be loaded with viruses and malware.

Emails aren't the only portal for cybercriminals, she said. Be wary of clicking on Google images that don't appear to come from a reputable site, and watch out for suspicious ads and links on Facebook.

"We have to defend all the doors, but all they have to do is find one way in," McDowell said. "The good news is that we're the first line of defense. All we have to do is not click when we're in doubt."

— By Marian Anderfuren

Media Contact

Marian Anderfuren

Director of Media Relations U.Va. Media Relations