If you are a regular email user, you may know what phishing is. You will get a random email from a hacker pretending to be from a reputable organisation, such as a bank, asking you to reveal personal information, including your account details.
Some of you may notice the grammar or the URL of the message standing out and trash it immediately. Most of the time it will go straight to your spam folder, courtesy the security measures put in place by your email provider.
Phishing emails are generally sent out in bulk - here, attackers do not target all recipients, but expect a few random people among them to be gullible enough to fall into their trap.
But what if a hacker focused on a single person and used all their means to trick the person into sharing their information? That’s spearphishing, and the 2014 leak of nude images of scores of Hollywood celebrities is speculated to have been a result of it.
Journalist Sarah Jeong describes the method as "a sniper shot versus a shotgun blast, and the person on the receiving end doesn’t get much of a chance to duck for cover." Sarah allowed a hacker to hack into her account and narrated her experience in a recent piece for GQ.
"It is not an old technique but of late is being used to target high profile individuals," says Anand Prakash, an ethical hacker and founder of AppSecure, a security auditioning startup in Bengaluru.
How it works perhaps sounds even scarier because of how easy it seems.
"Let's say there is Facebook.com. So what an attacker will do is copy the source code from the homepage of Facebook.com and host it on his own malicious server. And once he does that, he can then send the link to the victim with a different domain name. A victim will see the exact replica of Facebook.com but the domain name and the URL bar will be different. The victims may not notice it and once they enter their username and password, the real credentials of the victims will be submitted to the attacker's server," Anand explains.
However, one significant thing that separates phishing from spearphishing, as Sarah Jeong also notes, is a certain component of social engineering involved in the latter.
What this essentially means is that the hacker gets to know you and can gather as much as information as possible about you before sending you that email, thus making it more difficult for the victim to protect themselves from the hack.
The attacker may send an email pretending to be a friend or colleague or an institution you deal with regularly. And it is easier for us to trust people we know.
"Basically, this is how it works. Suppose I am the attacker and you are the victim. I will first try to gather all your personal information from your social media accounts Twitter, Facebook, Hotmail, etc. I will get your email, email accounts are possibly sold everywhere. Once I get that, I will send an email saying 'I am from ICICI bank and I saw some suspicious activity on your account and we will be blocking your credit card number. Please enter your net-banking password on this email,'" Anand says.
And to stop our credit card from being blocked, we could provide the details without putting much thought into it.
Another common trick is a fraud organisation sending out emails letting you know that you have won the lottery.
While the fraud may seem obvious to many, it does have a lot of victims, Anand says.
"Yes, people fall it. Regular people fall for it. My dad saw a similar message a few months ago and he tried to call that number back," he laughs.
Anand recommends people to check the location bar in the browser to confirm a valid website.
"As of now, the email providers are also taking care of security. But people should also check the URL. For example, the official website of ICICI bank is https://www.icicibank.com/. Hackers may change it to https://www.icicilbank.com/ and you may not even notice it. Most hackers do such stuff. Keep your software systems updated to prevent malware and spyware from crawling into the system. Do not submit numbers or other details on any random website," he states.