What you should know about “Spear-Phishing” scams
May 28, 2018
spear fishing scuba gear
Image: Bigstock | ccaetano

If you have access to financial, payroll, or tax data at MIT, be aware that you may be the target of “spear-phishing” campaigns. The IRS reported in January that scam emails attempting to get W-2 information from employers have increased significantly in recent years.

Ordinary phishing campaigns typically cast a wide net and harvest things like login credentials and passwords. Spear-phishing targets individuals with the aim of getting confidential data (e.g., tax documents) or money (through funds transfers). The “spear-phisher” tries to dupe you into trusting them by appearing to know about you or your situation. They do this by accessing publicly available information (your websites, LinkedIn profile, and/or résumé on a job site).

A spear-phishing example

Here’s an example of a recent W-2 spear phishing campaign: John Doe handles financial transactions for his company. He receives an email that looks like it’s from his director, Jane Roe. Jane asks him to wire $50,000 to a bank account number and for John to send Jane a copy of a certain employee’s W-2 form. The email refers to John by name, maybe even by a nickname, but the email does not contain Jane’s normal email signature. When John replies, the email goes to the scammer instead of Jane.

Protect yourself

First, if you are being asked to transfer a large amount of money or provide private personal data, especially tax-related data, ask the requestor to confirm the inquiry in person or call them directly.

Second, check the email address that appears when you attempt to reply to the email. If you don’t recognize it, think twice.

Remember, always be vigilant when responding to requests for private information!

Let IS&T know

IS&T asks that you please forward all suspicious emails to phishing@mit.edu so our Security team can improve the Institute’s spam filters and block malicious senders and links. Be sure to forward such emails as an attachment to preserve information the team will need to do so.

If you would like to verify whether a suspicious email is legitimate, contact either your local IT support provider or forward it to the IS&T Security team at security@mit.edu.