What is Spear Phishing? Here's how to safeguard yourself from email frauds

ohit KVN
Last Updated : 16 March 2022, 14:26 IST
Last Updated : 16 March 2022, 14:26 IST
Last Updated : 16 March 2022, 14:26 IST
Last Updated : 16 March 2022, 14:26 IST

Follow Us :


Thanks to Covid-19 pandemic-induced lockdowns and social distance protocol, smartphones have become an indispensable tool to get the services done. Now, you can order groceries on the app and get them delivered in 10 minutes.

However, not everything about smartphones is hunky-dory. If people don't exercise caution online, cybercriminals will wipe clean their hard-earned money from the bank accounts.

In this segment, we will focus on 'Spear Phishing', a technique used by bad actors to lure potential victims through e-mails.

What is Spear Phishing?
As said above, criminals use e-mails as the primary platform to prey on naive people to steal financial details. First, they use creative photo editing skills to come up with letterhead resembling a corporate company or a bank and even a local Income Tax agency logo. And, they play with the emotions of the people-- excitement and panic-- to reveal their personal details voluntarily.

Five most common click-bait emails:

1) A corporate consumer company offering a jackpot prize
Here, bad actors either through sourcing email IDs from the darknet or just randomly shoot emails to potential victims that they have won a huge jackpot prize. They say the name was selected using the company's database containing a list of customer details submitted during a purchase of consumer electronics goods.

Then, they ask the potential victim to share their bank account details, and phone numbers to make a money transfer.

Seeing the huge prize money, people out of greed, divulge the details without batting an eye. Then, the criminal will ask them to reveal the OTP (One-Time-Password) to complete the transaction. Within no time, the victim will receive the SMS stating a big chunk of money has been debited from their account.

We have seen criminals go a step further by asking the victim to pay the advance amount, which will be used to pay customs duty tax for inter-country money transfers. For instance, if the jackpot money is Rs two crore, they will ask for Rs 10 lakh as a tax deduction. Naive people think they will get richer by manifold, 5% cut is negligible and voluntarily give away their own money. And, they will never get the promised prize money and will be poorer by five lakhs if not more.

*Darknet/Dark web: It is a platform primarily used by hackers to dump personal information of citizens stolen from corporate companies and government-run agency websites.

2) A job offer with a big CTC (Cost to Company)/salary
Similar to the above case, criminals will lure victims with big pay packages. The annual income will be more than the average salary in terms of industry standards. It will definitely be enticing and the user replies in the affirmative. Then, the bad actor starts by asking for a security deposit to confirm a job in any one of the Fortune 500 companies.

3) Fake notice from the IT department for not paying income tax
This is a seasonal affair. For instance in India, the Income Tax Returns (ITR) process starts in the second half of the year and late applications in the early three months of the year. During this time, the cybercriminals send out random emails to potential victims asking to pay the remaining tax or else the bank account will be ceased. They usually send a compromised website URL to capture personal and financial details.

For the initiated, the IT department usually sends-- Intimation U/S 143(1)- to citizens who are liable to pay remaining tax, probably related to interest amount earned through bank saving accounts and other income sources, other than regular salary.

Besides the panic tactic, fraudsters also lure victims by sending emails with a subject line ITR: Claim your Refund, and inside the mail body, place a compromised website URL. This excites the reader and click the URL and fill in the form with personal and financial details including the bank account number to get the IT Refund. But, they never get credited with any amount and instead lose their saved deposit money.

4) Bank notice to refile KYC (Know Your Customer) form immediately or else the bank account will be frozen
This is the most used trick to hoodwink the victims today. We have seen big government officials, celebrities, and even a government security chief have fallen into this trap.

The email will resemble the popular bank company with a genuine-looking logo typeface and the right colourway. And, it will have a warning that they should immediately fill out the KYC form to renew the bank account or else it will unusable for any amount transactions.

At the base, they will share a URL and ask the user to click on it and complete the KYC process by providing debit card number, CVV number, birth date, full name, and phone number.
However, the unsuspecting victim goes to the compromised website and reveals their personal and financial details. And, out of the blue, they will get bank SMS saying a big chunk of their money has been debited from the account.

5) Covid-19 malware threat
This is the latest of the lot. Cybercriminals used the Covid-19 pandemic-induced tragedy to fleece people. They used WHO insignia and other public service organisations' names to send emails about the Coronavirus threats and prevention information to victims.

The emails were laced with compromised website URLs and documents with malware and when installed, the trojan would take over the computer or the mobile phone to steal the financial and personal details.

Here's how to identify and safeguard yourself from Spear Phishing
As said before, in all the aforementioned scenarios, cybercriminals use primal emotions--excitement and fear-- to prey on the victims.

But, there will always be tell-tale signs in these emails and they can give away it is bad and needs to be ignored. Be sure to notice any of the listed below to differentiate genuine from fake email:

1) Keep an eye on spelling and grammar. Even if the miscreants are creative enough to develop a genuine-looking company logo or institution's insignia, they make mistakes and are bad in sentence construction. These are sure signs of a fake email

2) Also, be sure to check out the email ID fully. It may have the name of a company or government agency but cybercriminals will not be able to create fake registered official email ID on platforms such as Google Gmail. For instance, if you get a notice from the IT department, the email ID will have-- communication@cpc.incometax.gov.in--, but fake ones will have dubious IDs such as incometax.gov.in@gmail.com. Notice the '@gmail.com'? if you see any IT department notice with a private domain name ever gain, junk it and move on.

FYI-- This is the official website of Income Tax-- 'www.incometaxIndiaefiling.gov.in' , but we have seen cybercriminals using compromised website-- 'www.incometaxefilingsindia.in' (notice they have interchanged 'Indiaefiling' with 'efilingsindia' to prey on naive users.

Also, be sure to notice that the government website will have '.gov.in' at the end of the website address. And, we should be wary of websites with 'http'. Safe websites have 'https' in their address ID.

3) No matter what email you get, never ever share financial details through email. This applies to OTP as well. DO NOT SHARE OTP with anybody. Be it a bank company or the IT department, they will never ask you to divulge any financial details. If you get one junk it. If you have any doubt, go to the nearest branch office and get it clarified.

4) Also, never share personal details such as birth certificates, or photocopies of graduate certificates, or personal identity cards such as Aadhar, Voter ID, Driver's Licence online to anybody unless you know them personally. Double-check by calling the person and getting the right email ID.

5) If you ever get a job offer via email from a company that you never applied for, just junk it and move on

6) If you get an offer and the person is seeking money as a security deposit for a job. It's better to look for other opportunities. No genuine company will ask for money to secure a job

7) Also, if you get a job offer with a really big paycheck compared to your designation's CTC (Cost to the Company) in terms of the industry standard. Be wary of such emails

8) Similarly, if you get a big prize money voucher via email and you never participated in any of the seasonal promotional sale campaigns, don't get greedy and just ignore the mail.
Nothing comes free in life. Just be happy with hard-earned money safe in the bank

If you happen to have signed in for a lucky draw hosted by a reputed e-commerce site or local consumer electronics shop, make the calls to the authorised phone numbers of the company and meet in person to get the goodies

9) It is a good practice to install anti-virus applications on the PC and mobile phones to detect malware in the system and thwart cyber threats when browsing on compromised websites

If you or your loved one has fallen victim to the phishing attack, make sure to follow the procedure and also note down the emergency phone numbers shown below:

Immediately, call the customer care number of your bank and ask them to block the transaction. Also, make sure you call the police control room to report the crime.

Union Home Ministry of India has set up National Cyber Crime Reporting Portal (here) and also helpdesk hotline 155260. The latter is 24x7 operational in Delhi, Rajasthan, Uttarakhand, Chattisgarh, Uttar Pradesh, Assam, Tamil Nadu, and Andhra Pradesh.

In other states and Union Territories, the helpline is available from 10:00 am to 6:00 pm.

If you ever receive any fake IT department notice, report it on the official Income Tax website (here). Also, forward the e-mail or the website URL to ' webmanager@incometax.gov.in ​​​​'. You can also forward it to this email ID too-- ' incident@cert-in.org.in '.

In Karnataka, citizens can report cybercrime by dialing toll-free number 112.

Get the latest news on new launches, gadget reviews, apps, cybersecurity, and more on personal technology only on DH Tech.

Published 16 March 2022, 13:46 IST

Follow us on :

Follow Us