skip to content

What is Spear Phishing?

Most will have heard of “phishing”: a (mostly) fraudulent e-mail which aims to get the user to disclose user names and passwords. This kind of mail is sent to a lot of people without any regard for the recipients. Phishing is an old technique, but still a mayor concern in IT security because it works surprisingly well. Many just skim the fraudulent mail’s content, are impressed by the wording (“ACT NOW OR YOU WILL BE PROSECUTED”) and react in the way the phisherman intended by clicking the link and entering their credentials on the phishing page.

But, as every successful scam, this was developed into something even more dangerous: Spear Phishing. It’s just like phishing, but with personalised mails to hand-selected individuals. An example: a professor receives an e-mail from a real or fictional student asking her to get his thesis fact-checked. As soon as the professor opens the attached file, it installs targeted malware on her computer skimming credentials. A commented list of examples can be found here.

Why can't IT automatically filter such spear phishing emails?

Every day, a large number of spam messages and phishing attempts are automatically deleted without us noticing. But in the case of spear phishing, the automatic mechanisms are rarely effective. Why? Phishing and spam e-mails are recognised primarily because they are sent en masse. In the case of spear phishing e-mails, however, these e-mails are only sent individually and are therefore not directly recognisable as such. In addition, the senders often change their e-mail addresses. Blocking individual addresses is therefore not effective - and it certainly does not prevent such phishing attempts.

In this respect, the so-called "human firewall" is important - be careful and follow our behavioural tips in the following section.

How to detect fraudulent e-mails

  • Look closely: Which address was the e-mail sent from? Is this an e-mail address operated by the University of Cologne? Is it the e-mail address this person normally uses? Remember, e-mail addresses can be falsified easily. In case of doubt, check if you know the sender and reach out to them in a different e-mail, text message or call them. A quick phone call or a short message may prevent further harm.
  • Be cautious: Never open "Office" documents (i.e. word processing, spreadsheet or presentation files, e.g. doc files) or ZIP archives unless you are absolutely positive that they come form a legitimate source and the person who claims to be the sender is the actual sender. Do not open unsolicited Office or ZIP files otherwise. Not even
    • if you recognise that person’s name. Their name in the e-mail or the purported address is no evidence of them having actually sent the e-mail.
    • if the e-mail seems to be a reply to previous correspondence.
  • Keep calm and do not act immediately. At University of Cologne, no deadlines of “do this today or face the consequences” are being put out. Genuine deadlines will be announced in good time. If you are uncertain if a request received via e-mail is genuine, write yourself a note to revisit this topic a few days later. If the request was a scam, you will most likely be able to read about it on our web pages.
  • Do not click on links carelessly:  Malware is very versatile nowadays and also may stand behind links that look authentic. Depending on the malware, clicking on such a link may bring disaster upon you and maybe even the IT infrastructure of your entire institution.
    • Look even more closely: Where does a link redirect to — an official website of e.g. the University of Cologne or a dubious website such as www.weight-loss…?
      If the link address is full of “garbage,” i.e. it contains hardly any human readable information, chances are high that the website it links to is not legitimate.
      (The opposite does not hold true: An easy to read address is by no means a sufficient sign for a serious web page.)
    • Use a secure virus check tool:
      VirusTotal is a free online service that lets you check suspicious links for malware. You can access it here (this link should be safe to click on): https://www.virustotal.com/gui/home/url
    • Use Windows Sandbox:
      A sandbox is a closed part of your operating system, like an operating system within your operating system. This allows you to execute operations without potentially compromising your actual system.
  • When filling a form that prompts you to enter passwords, take a closer look for signs of fraud:
    • Is the form actually provided by the University of Cologne? Check the website’s address. Official UoC websites use the “uni-koeln.de” domain name.
    • Do the form’s labels use proper writing style? If unusually looking letters appear, this is a sign of a fradulent website. For instance, a box labelled “Pásšwørd” instead of “Password” is a sure sign of a scam website. This applies to other unusually styled letters as well, e.g. ñ instead of n.
    • If the password box displays the actual characters you typed in (instead of asterisk or dot symbols) without you enabling cleartext display first, leave the website immediately. This is a clear indication of an imposter website.
  • Take a quiz to learn more about detecting phishing scams to prepare yourself for future threats.
  • Activate the spam filtering service for your email account (if you have not done so already). While not all phishing emails will be detected as spam, a good part of typical phishing emails can be filtered out before it reaches your inbox. This way, you will not have to think twice whether or not a certain message is benign or malicious.
  • In case of doubt, (or if you accidentally clicked on a suspicious link or opened a suspicious attachment) contact your IT service, DP office or the RRZK help desk and request further advice and instructions.

Contact
If you have any questions or problems, please contact the RRZK-Helpdesk