Spear Phishing – Don’t become the next victim

A popular trend among fraudsters can cost you money and customers.

 Bank of American Fork held a cyber-security Q&A on Facebook Live in October. The event was hosted by Bank of American Fork’s Chief Technology Officer, Mark Holley.

Spear phishing, a form of social engineering and a current trend among fraudsters, has been making local and national headlines in recent months.  KSL recently reported that 2 Utah counties were robbed of thousands of dollars due to a spear-phishing scam.  Earlier this year a Snapchat payroll employee fell for a phishing attack, exposing the personal information of several current and former employees.

The following story of a phishing attempt was recently submitted to us:

I recently received an email from a healthcare provider. I do business with that provider and the email looked just like an email I would receive from them. By clicking on the link provided it took me to a webpage that looked just like the provider’s webpage. If I were to log into the page using my username and password, the hackers would then be able to log into the legitimate web page and have access to all of my medical records.

Situations like this occur all too often.  Falling victim to a social-engineering scam can greatly affect your business’ bottom line (according to the Ponemon Institute, the average cost of a data breach in 2015 was $3.8 million). But perhaps more importantly, it can damage your business’ reputation.  A recent study by Deloitte shows that one-third of customers say they would stop dealing with a business following a cyber-security breach, even if they did not suffer a material loss.

You may be asking yourself: “How can I prevent something like this from happening within my own company?” The first step is understanding what spear phishing is and how the scam works.

Spear-phishing attacks are carried out via email and target specific individuals or companies.  They usually appear as ordinary emails containing some type of link or attachment.  The attackers do their research through social engineering.  They learn your name, hometown, where you work – any information they can easily access online through social media profiles.  Including personalized information can add a lot of credibility to the emails, making them believable to the point that 97% of people are unable to identify these emails as phishing.

The following outline can help you better understand spear-phishing:


The ultimate goal of a spear-phishing scam is to gain access to your organization’s critical data.  This includes bank accounts, passwords, security clearances, financials, intellectual data, credentials and much more.

The following are some tips and guidelines from our IT expert Mark Holley to help prevent spear-phishing attacks from affecting your business:

  • Verify any emails requesting money transfers or secure data. Ask questions and contact the other party by phone to verify any communication that may seem suspicious.
  • Ensure your organization’s security technology and processes are maintained and updated.
  • Familiarize yourself with your organization’s cyber-security policies and procedures.
  • Be mindful of the personal information you share online.
  • Remember that if it feels wrong, it probably is.

Everyone is a potential target of a spear-phishing attack, regardless of their status in an organization.   Most spear-phishing attacks are not random but are targeted at a specific person within a specific organization.  Attackers have been known to target anyone from CEOs (known as whaling) to entry-level employees, as many times they are just looking to gain a foothold into your organization’s computer system.

Often times an organization doesn’t realize they have fallen victim to a spear-phishing attack until it’s too late.  Because of this, it is crucial for everyone to be trained to immediately recognize, avoid and report suspicious emails.

As the old adage goes, “the best defense is a good offense”.  The best thing you can do to protect your organization from a spear-phishing attack is to be actively engaged in identifying and reporting any suspicious email correspondence.

Related Articles