Help      |      Chebucto Home      |      News      |      Contact Us     

137. Tips to avoid spear-phishers

By Andrew D. Wright

Spear-phishing brings to mind images of sun-soaked Pacific Islanders catching their breakfast, but it's really just a new twist to an old con-job.

A popular con artist ploy is to assume some sort of authority over the prospective victim. Your bank needs you to sign on to a system upgrade site to register your PIN number, a parcel carrier says you need to download something from their website to get some parcel tracking number. They seem to know what they're saying so you do what they want.

Spear-phishing is spam that's been targeted to a specific sub-group. Lawyers get things that look like contracts, small businesses get tricked with fake delivery emails, sometimes the stuff even knows you by name.


Here are some rules of thumb to avoid getting tricked.


  1. In email, don't trust things you click on. Hold your mouse over something you can click on in the email but don't click. Email programs will show what the link goes to on the bottom of the email window.


  2. Real organizations never ask you to give them private information over email. When you are holding the mouse over the link in an email, see where the link goes. Real organizations don't use anonymous mail accounts like, yahoo.anything, gmail or If the last bit of a domain name like  is two letters, it's a country code. So .ca is Canada: and far away .cn (China), or .ru (Russia) addresses are unlikely to be your local bank.


  3. On a website, the idea is to make you download something that causes you grief or to make an older insecure web browser silently do it using some exploit. Rule of thumb is that anything on your computer that talks to the Internet always has to be the latest version. Around two thirds of computer users are using unsafe older versions of their web browsers for example.

    Update Internet Explorer with Windows Update in Control Panel. Other software like Mozilla Firefox has a "Check for Updates" item on the Help menu.


  4. If you are supposed to run some program, check the Publisher of the program before letting it install. Digitally signed programs can only come from the real source since any changes would break the signature. The source has to verify their identity to get a valid program code signing secure certificate. Sometimes real software isn't signed so this rule has exceptions but signed software always has to come from where it says it does. Check the name.

    [Graphic: Program publisher verification using digital certificate.]


  5. Never trust the contact information in any email that you are not sure about. Don't believe any phone numbers in the email. Contact the organization directly by phone using a number you looked up in the phone book. Email addresses and web page links can be forged to look like they are going to places they are not. Check the organization's real web site, don't get to it from clicking on any links in the suspicious email.


The trend is for more specific targeting of individual people so keep these tips in mind next time you get an email wanting you to do something. Always be suspicious of any email that for any reason wants you to give them a password, credit card or any other private information or visit an unfamiliar web address that doesn't seem to be correct for what it says it is.


Look up web domains:


List of Internet address country codes:


RCMP latest scams page:


The Mousepad runs every two weeks. It's a service of Chebucto Community Net, a community-owned Internet provider. If you have a question about computing, email or click here. If we use your question in a column, we'll send you a free mousepad.


The Mousepad Index


Originally published 29 August 2008


Our community is online here!


This column is provided as a community service by