Although the concept has been around for years now, a nefarious scheme commonly known as “spear phishing” has recently been making the rounds again. The most common targets are businesses and government agencies that provide financial services.

“Standard” phishing casts a wide net looking for unsuspecting individuals. Spear phishing is much more sophisticated and targets specific individuals or small divisions/groups within an organization, such as the accounting department.

Most everyone has experienced a standard phishing attempt. A very common tactic is to disguise an email and make it look like it’s coming from an actual bank or government institution. This email asks you for critical information, such as your account number, password and other info that can be used to do harm. These emails go out to anyone and everyone and are not customized in any way, shape or form.

Spear phishing, on the other hand, is customized for a specific individual. The most common version we are seeing now is sent to the person in charge of wiring funds overseas. An email is crafted, purportedly from someone in authority in the organization, ordering the wire transfer. This email, however, is not sent from the boss’s account; rather, it comes from a very similar account. For example, instead of aboss@bankofusa.com, the fake address is aboss@bankofu5a.com (a 5 instead of an s). Unlike phishing attempts, which purposely use typos and bad language to increase success, the fake emails are well written.

How do the bad guys do this? By employing a combination of social engineering, interception of emails and good old-fashioned research. After all, just about every organization with a website lists its management team, which often includes the chief financial officer, controller, or equivalents. Furthermore, social websites such as LinkedIn or even Facebook can be used to assemble a “who’s who” within many organizations.

On top of that, many internal emails are forwarded “into the wild” as a trail so that the recipient knows the money is on its way. Think along the lines of “Hi, per my boss’s note, I am wiring you money.” That email alone indicates 99 percent of the process that your organization follows to wire money. Once it goes to the recipient organization, who knows who sees it?

This method of gathering information is much more common than hacking into an email server. It is much easier and, technically, isn’t a clear-cut crime until the bad guys actually act on it, despite the disclaimer your lawyer told you to put in your signature.

Finally, many bad guys just call an organization and use social engineering to figure out the process. “Can you tell me who is in charge of wire transfers?” “Who does that person report to? I’d like to file a complaint.”

So what can businesses and government agencies do to avoid being speared? First and foremost, education and diligence. Ensure all pertinent staff members are aware of this scheme, and that processes and procedures are in place to protect against releasing info to unknown or unauthorized individuals. For example, consider a secondary form of authorization for a wire transfer, such as a text, or even a phone call (gasp!).

From a technology perspective, the standard antivirus and antispam solutions will help, but not much. The fake domain names (bankofu5a.com in our example) are actually valid, from a pure technical perspective. There are services that provide filtering to ensure authentic emails, but this requires that everyone who sends you a message goes through the authentication process, which many folks simply will not do. As such, this issue is more of a people problem than a technology problem.

John Agsalud is an IT expert with more than 25 years of information technology experience in Hawaii and around the world. He can be reached at johnagsalud@yahoo.com.