Spear Phishing

image source: http://wallpapercave.com/fishing-wallpaper

Fishing is a sport.

Phishing is a malicious attack (email or other communication) looking to harvest usernames, passwords, or credit card details (and, indirectly, money) from you.

image source: http://spearfishingblog.com/a-quick-guide-to-spearfishing/

Spear Phishing is a directed attack made to look like it came from a known or trusted sender.


*Lets just be clear, there are many many different kinds of SPAM out there. We are just focusing on one form: phishing. Check back again as we will dive into other forms of SPAM in later dates.


SPAM is unwanted or unsolicited electronic communication. We are no stranger to SPAM in today’s world of email. In fact we are used to seeing the odd message in our personal inbox, advertising some unwanted products or free money waiting for our click. We are used to deleting without a second thought about the matter. Some keener may have reported your SPAM to the Canadian Government who ruled that spam is illegal in 2014. We are used to harmless ads, but we aren’t so used to targeted identity theft.

The fact is that no one is impervious to a spear phishing attack.

Yes, at TWU we do have high tech firewall security measures in place to stop threats from getting through, and we take it very seriously. We automatically add URLs to a black list the moment we or our security software become aware of a threat. This prevents anyone from accessing a bad site while on campus. However, the moment you take your computer home, or open your email on your phone, you are outside of our firewall umbrella. The moment you click that bad link or fill in your username and password on that bad site, you may have given up your identity.

The problem is us humans.


Here’s the scenario: You receive hundreds of messages in your inbox. You always notice who sent it and what subject. You open the message for a quick read. They sent you a link. With internet and computer speeds up in the last years, this will only take a second to see what they are referring to…

OK let’s stop right there. So far everything you have done has been fine. Every person with email has gone through these steps countless times with no ill effect. There is no problem with reading an email from someone.

The next step is critical:

If you click on that link without thinking about it, you can jeopardize your identity. It’s that simple.

The moment you visit a malicious site, or download their picture or file, or click that link in your email, they can know your email is legitimate and that you have taken the bait.

Trinity Western University being a public facing organization, automatically puts us out there in the wild for onlookers, but no email address is safe. There are 4 main ways that these people can get your address:

  1. Spammers will illegally buy lists of real people’s email addresses.
  2. Spammers will use “harvesting” programs that scour the Internet like Google, and copy any text that contains the “@” character.
  3. Spammers will use “dictionary” (brute force) programs like hackers to guess addresses.
  4. You will unwittingly volunteer your email address to dishonest online services.

They design a system that emails you, and tracks when messages are viewed, and by whom (or by what email address). When you click a link or view a picture or download, you are sending a request across the internet for information. That request for information has your email identity in it. Think of this like call display.

So now they know that johnsmith[at]twu[dot]ca (<– anti-harvesting speak) opened and viewed an email, so that address is real. Not only will they keep spamming that address, they will use use the address to spoof from.

Spoofing is a truly maddening technique: It is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. This is fooling your email to think that it came from someone else (a trusted source). Now how can you trust anything in your inbox?

The solution is us humans.


We need to use our brains to check us before we make that critical next step. We need to ask ourselves 4 questions:

  1. Do I know and trust this person?
  2. Do I know what they are emailing me?
  3. Do I know why they are emailing me?
  4. Does it all add up?

Let’s look at this is a recent example email that has popped up this week, seemingly from “Trinity Western University” and our very own Human Resources Department (every organization has HR right?)


4 questions to ask yourself

1. Do I know and trust this person?

OK I know Trinity Western University, but I don’t recognize the address @wayne.edu RED FLAG

2. Do I know what they are emailing me?

There is no content in the message,  and I have to click to find out more… RED FLAG

3. Do I know why they are emailing me?

There are no details about what the matter may be about. Even if there were any details, I haven’t inquired with HR about anything so I’m not expecting anything. This also doesn’t look like a typical message from HR. RED FLAG

4. Does it all add up?

The message looks fairly professional, there are no spelling mistakes (good indicator of SPAM too). But there are 3 flags already, and why did they send to my personal address not my work email? RED FLAG


By training yourself to ask these questions before you pass the critical step, you will save yourself and your organization a lot of grief. No one wants to admit that they’ve clicked on something they shouldn’t have, but TWIT does need to know about it. This will help TWIT warn others and prevent it from happening more. TWIT can block URLs so even if someone does click a link, the request won’t go through.

Additionally if you have any questions or not sure if an email is a spear phishing attempt, please do not hesitate to ask.

Contact TWIT


We have received a lot of feedback about SPAM email and used this post as a reference. We will continue to add examples of SPAM to identify them for you.

Sample SPAM:




About | Ransomware

What is ransomware? Malicious software that locks a device, such as a computer, tablet or smartphone and then demands a ransom to unlock it

Where did ransomware originate? The first documented case appeared in 2005 in the United States, but quickly spread around the world

How does it affect a computer? The software is normally contained within an attachment to an email that masquerades as something innocent. Once opened it encrypts the hard drive, making it impossible to access or retrieve anything stored on there – such as photographs, documents or music

How can you protect yourself? Anti-virus software can protect your machine,  but watch what you click. Cybercriminals are constantly working on new ways to override such protection

How much are victims expected to pay? The ransom demanded varies. Victims of a 2014 attack in the UK were charged £500. However, there’s no guarantee that paying will get your data back

Leave a Reply

Your email address will not be published. Required fields are marked *