Hackers, spammers and cybercriminals have a multitude of methods they can use to infiltrate computer systems, steal data, plant malware or compromise your personal information. One of the most long-standing tactics is targeting 'phishing', also known as spearphishing.
It has endured because it works: unwitting web users continue to receive malicious messages and still fall victim to their charms. If you are wondering how dangerous they can be, just ask John Podesta: the US political player who lost tens of thousands of email with a single click.
When a spearphishing email lands in your inbox, it's rarely a mistake. Using your personal information – either hacked from another source or lifted from public social media profile – spammers are able to produce slick, and highly-convincing, messages.
They will appear legitimate, but spearphishing emails usually contain malware, spyware or another form of virus – often hidden in a link. When clicked, the payload will usually download automatically onto your computer and go to work – stealing files, locking records or logging your keystrokes.
Using your own personal information against you, hackers can craft an extremely personalised email message. It will likely be addressed to you by name and will reference a specific event in your life, something that will make you believe the sender is real and trustworthy.
What information could they possibly know?
Using social media, the spammer will likely already know your age, where you work, what school you attended, personal interests, what you eat for dinner, what concerts you have been to recently, where you shop, what films you like, what music you listen to, your sexual preference, and more.
But this is enough. Using the information, a fictitious hacker could easily pose as your friend and ask for further information about you – your phone number, password, even bank details? Not everyone would fall for the scam, but many still do if the recipient believes the identity of the sender.
A hacker using spearphishing may pose as a retailor, online service or bank to fool you into resetting your credentials via a spoofed landing page. The email may ask you to reset your password or re-verify your credit card number because suspicious activity has been monitored on your account.
If the email tempts you to click an embedded link, it could also download a keylogger or Remote Access Trojan (RAT) onto your computer to steal bank details or social media passwords as you type them. Many people re-use passwords across multiple websites, so the danger of hacking is high.
How to stay protected
Stay protected by being aware of the threats and remaining extremely careful about what personal information you put online. Limit what pictures to post to Facebook or Twitter, check where your email is listed and ensure your computer's security is kept up to date.
Ensure the passwords you use are original, lengthy and, most importantly, unique to every online website or service. A strong password will contain a mixture of characters, numbers and symbols. If possible, enable two-step authentication on every account that offers it.
Finally, know the signs and stay vigilant. If you receive an email from a close friend that asks for personal information – think twice before replying and send them a reply asking them to verify their identity. Also, know that any real business or bank is unlikely to request sensitive data via email.
Unfortunately, it only takes one click of a mouse for the hacker to access your system and despite advanced spam filters on current email providers spearphishing emails will continue to slip through the cracks.
Read more about phishing and spearphishing on Action Fraud.