Spear phishing is malicious emails that target specific individuals, organizations, or businesses.
The scammers will already have some Personal Identifiable Information (PII) that they can use to look trustworthy in their social engineering attacks.
If your personal data has been part of a data breach, this is probably why you are receiving emails that seem to come from a trustworthy source.
The email senders may know your name and surname, know that you own a hardware wallet, or know that you own Bitcoin, Ethereum, or some other specific cryptocurrency.
Have you been pawned?
A handy way to know if your personal data has been part of a data breach is to use https://haveibeenpwned.com/ to check if your email address has been compromised.
If your email has been pawned, and that email address is used to login into some other accounts, it is time for you to quickly evaluate in how much trouble you may be.
What should I do if my email address or password has been pawned?
If you are using strong and unique passwords for each one of your accounts, having your email pawned will be an inconvenience but not a tragedy.
- Mark any new phishing emails as 'spam' so they o directly to spam.
- If you have the time, report those emails as 'phishing' so your email provider can investigate and close those malicious email accounts.
- You may consider stopping using the pawned email account if it is not a hassle.
If you are NOT using strong and unique passwords for each one of your accounts, you must take immediate precautions
- Very important: Change the passwords for any account that uses that pawned email as a login username. Make those new passwords strong and unique.
- Take the same steps as described above.
Do you know how to create strong and unique passwords
How to identify spear phishing emails?
Some legitimate emails may flag an important message or issue you need to resolve. So how can you find out if an email is legitimate or part of a spear phishing attack?
Well, with a bit of knowledge and a critical eye, you will be able to identify any phishing emails or malicious links in no time.
Let's use a real spear phishing email as an example - even though this user has a METAMASK account, it would be pretty easy to identify a phishing email by just having a closer look:
- First, Metamask never requests email addresses when creating a wallet. So any email from 'Metamaks' is a phishing email by default.
- In most cases, the sender's email address is usually fishy and has little to no relation with the email's subject. If the email looks suspicious, check first the sender's email address.
- If the email has any button or link, you can discover the destination address by just hoovering (hoovering... NO clicking) over the email address. You should see the destination address on the bottom left of your browser. And if the destination address looks 'weird', better not to click on it.
There is no definition for a 'weird' destination address, but with some learning, you can identify malicious destination addresses.
We hope this spear phishing scam example has increased your digital safety awareness.
It may take years to build a crypto portfolio, but just a few minutes to lose it all to a hack, scam, or accident.
Please be careful, take precautions, and consider taking time to learn about digital safety.
