Skip to main content

CAFC Bulletin Alert: Spear Phishing

Red Explanation point

Spear phishing is one of the most common and most dangerous attack methods currently used to conduct fraud, usually on businesses and organizations. Fraudsters take their time to collect information on their intended targets, so they can send convincing emails seemingly from a trusted source.

Fraudsters will infiltrate or spoof a business email account. They create a rule to send copies of incoming emails forwarded to one of their own accounts. They comb through these emails to:

  • study the sender’s use of language
  • look for patterns linked to important contacts, payments, and dates

Fraudsters launch their attack when the owner of the email account can’t be easily contacted by email or by phone. It may look like a top executive sending an email to their Accounts Payable requesting that they make an urgent payment to close a private deal.

If the fraudsters haven’t infiltrated the executive’s email account, they may set up a domain similar to the company’s and use the executive’s name on the account. The contact information they need is often found on the company’s website or through social media.

Variations of Spear Phishing attacks include:

  • A business receives a duplicate invoice with updated payment details supposedly from an existing supplier
  • An accountant or financial planner receives a large withdrawal request that looks like it’s coming from their client’s email
  • Payroll receives an email claiming to be from an employee looking to update their bank account information
  • Members of a church, synagogue, temple, or mosque receive a donation request by email claiming to be from their religious leader
  • An email that seems to come from a trusted source asks you to download an attachment, but the attachment is malware that infiltrates an entire network or infrastructure
Warning Signs
  • Unsolicited emails
  • Direct contact from a senior official you are not normally in contact with
  • Requests for absolute confidentiality
  • Pressure or a sense of urgency
  • Unusual requests that do not follow internal procedures
  • Threats or unusual promises of reward
How to Protect Yourself
  • Remain current on frauds targeting business and educate all employees
  • Include fraud training as part of new employee onboarding
  • Put in place detailed payment procedures
  • Encourage a verification step for unusual requests
  • Establish fraud identifying, managing and reporting procedures
  • Avoid opening unsolicited emails or clicking on suspicious links or attachments
  • Take a few seconds to hover over an email address or link and confirm that they are correct
  • Restrict the amount of information shared publicly and show caution with regards to social media
  • Upgrade and update technical security software

If you think you or someone you know has been a victim of fraud, please contact the Canadian Anti-Fraud Centre at 1-888-495-8501 or report online at www.antifraudcentre.ca.

This document is the property of the CAFC. It is loaned to your agency/department in confidence and it is not to be reclassified, copied, reproduced, used or further disseminated, in whole or part, without the consent of the originator. It is not to be used in affidavits, court proceedings or subpoenas or for any other legal or judicial purposes. This caveat is an integral part of this document and must accompany any information extracted from it.