You open your e-mail and look at a long list of messages in your in box.  Among them is a letter from your credit card company.  It says:

“It appears your account has been breached. Before you can use your credit card number you must confirm it is still active and you are the one authorized to use the card.  Do this by clicking on the link below.  Once you have confirmed your information your card will be active again.”

The e-mail looks official.  It has the company’s letterhead and appears to be the real thing.  What do you do?

Unfortunately, too many people will click on the link and one of two things will generally happen:

1. The link will put an aggressive virus in your computer causing all kinds of problems, or

2. You will go to an official looking web page that will ask for personal identifying information including:  account number, login and pin code, phone number, mother’s maiden name, mailing address and more.

Either option if fulfilled means big trouble for the innocent victim.

What just happened was a spear phishing attack.  Spear phishing is an email spoofing fraud attempt that targets a specific individual or organization.  In this case it is seeking personal identifying information for the purpose of stealing from you.  Spear phishing messages appear to come from a trusted source, like your credit card company, and are specifically targeted to an individual.

There has been an up tick of data breaches this year. The recent Epsilon and Sony data breaches are only the tip of the iceberg when it comes to theft of personal information.  In the Epsilon data breach, for example, millions of names, e-mail addresses and businesses they were tied to were stolen.  This opens up a huge opportunity for the criminal to send highly targeted e-mails to millions of unsuspecting people.

Businesses of all sizes are under attack.  While it is more likely to receive a spear phishing attack from a larger company smaller companies can be used, too.  Criminals are creative.  They are always looking for new and inventive ways to attack their prospects.

Unfortunately, everyone receives phishing and spear phishing e-mails.  It is important to know what to do when you receive one.  First, understand that businesses won’t send you an e-mail or call you requesting your personal information.  When you receive either, the best thing to do is call the main office and ask if they were trying to contact you.  Second, never open suspicious links.  Most often, what is on the other side isn’t a good thing.

Warren Franklin is a certified Invisus Identity Theft advisor.  He can be emailed at