4 ways you can avoid being the victim of a spear-phishing scam

Here’s what happened when we were spear-phished
Tali Ramsey

We asked cybersecurity expert Jake Moore to use spear-phishing techniques and target one of our writers, Tali Ramsey, to show us how easy it is.

Spear-phishing refers to phishing messages or calls where the scammer knows specific information about you and uses it to target you in their scam.

This could be through a scam message that knows where you went to school, your date of birth or when you last went on holiday, for example.

Read on to discover what happened to Tali and how you can avoid being spear-phished.

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts
Sign up

Spear-phishing: how I was targeted

Tali Ramsey, Which? writer, says:

As part of a wider investigation into spear-phishing scams for Which? Tech Magazine, I asked Jake Moore, who works for the internet security firm Eset, to create a spear-phishing message targeting me.

To begin with, he only had my name. So he used this to look up my social media accounts and online presence.

He found two email addresses for me, as well as a website I’d completely forgotten about that I’d made in 2019 to showcase my freelance writing and film work – this became a goldmine for Jake.

He decided to impersonate a producer and reach out to me about working together.

Spear-phishing message

A spear-phishing message
A spear-phishing message targeting Tali Ramsey

Posing as a real person

Jake posed as a media professional – and my quick Google search revealed this was a real person, making the message look even more convincing. The ‘producer’ expressed interest in the portfolio of creative work on my site.

Jake said that if he was a real fraudster, he’d probably engage with me via a LinkedIn message or phone call.

How scammers get you to trust them

Here’s how Jake tried to scam me. Keep reading to find out how you can avoid getting caught out:

  • ‘Dear Ms Ramsey’: My last name, which he found on my Facebook and LinkedIn profiles.
  • ‘AI can help the mental health crisis and as part of my research’: I wrote an article about AI and mental health. Jake found this on the website I’d forgotten about.
  • ‘I have been reading about your work which looks a perfect fit’: He’s using flattery to persuade me to engage with him.
  • ‘Best wishes, [name redacted] Media. LinkedIn’: Impersonating an actual person from a media company so the message looks genuine.
  • ‘We are working on a BBC Three documentary’: Impersonating a well-known brand to make the email look legitimate.
  • ‘The short online Google form’: Google forms are used a lot by genuine recruiters so this makes the message less suspicious. Saying it’s ‘short’ makes it appear to be an easy task which won’t take too much time, further convincing me to engage.
  • ‘Your background and writing style is incredible’: This type of flattery is used by job scammers to lure you into their schemes.
  • ‘Ultimately we are looking for people to contribute to the programme’: A promise that my time isn’t being wasted, making me more likely to fill out the form.
  • ‘One of the team will ring you’: This tries to emphasise that this is from a real person who really wants to speak to me about this opportunity.

You can join Which? Tech Support. Know someone who will benefit from a Tech Support subscription? Give the gift of a year's worth of expert advice.

Which? Tech Support package

Get Which? Tech Support for £49 a year or £4.99 a month

Contact our experts for unlimited 1-to-1 support by phone, email or remote fix.

Find out more

How do scammers create spear-phishing messages?

Sometimes scammers will send mass generic phishing messages as the starting point for spear-phishing.

Jake told us: ‘Fraudsters can use malware to gain information from a target device. Spyware and keyloggers are pieces of malicious software that reside on a phone, laptop or tablet and send personal and sensitive information back to the controller to learn about the victim.

'This could include passwords, banking details, even the contents of emails and can help build a victim profile further.’

So mass phishing messages can either spread malware to spy on you or get you to enter your details into a dodgy website, then use that data to target you with a more personalised spear-phishing scam.

4 ways you can avoid being spear-phished

  1. Oversharing on social media: Remember that everything you publish on your social media accounts – particularly if they’re public – can be seen by anyone.
  2. Filling in data on dodgy websites: Be wary of following links on emails and text messages, particularly if they ask for personal info as this can be used to scam you.
  3. Not having antivirus installed: A good antivirus helps protect you from phishing scams and your PC from malware. Our lab tests uncover the best antivirus.
  4. Speaking to scam callers: Any information you reveal on the phone gives the scammer more ways to scam you.

If you become the victim of a scam, call your bank immediately using the number on the back of your bank card and report it to Action Fraud, or call the police on 101 if you’re in Scotland.

More on this

Related articles