I’d heard the term “phishing” before, and I’ve reported at least a dozen various attempts to the appropriate parties (companies and organizations who are used in phishing attempts often have a reporting address set up so you can just forward the message to them). “Spear phishing” was new to me, and apparently it was also new to a large number of US Air Force personnel:
Offers to hire American airmen, stationed at an airbase on the Central Pacific island of Guam, as extras in the Transformers 3 movie, turned out to be an unexpectedly scary training exercise. First, keep in mind that there is no Transformers 3 filming scheduled for Guam. The email was a fake, used to test how well airmen could detect a hacker attempts to deceive military Internet users to give up valuable information.
The Transformers 3 email was a test to see how many airmen would fall for a “spear phishing” offensive. “Phishing” (pronounced “fishing”) is when a hacker sends out thousands, or millions, of emails that look like warnings from banks, eBay or PayPal, asking for you to log in (thus revealing your password to the hackers, who have set up a false website for this purpose) to take care of some administrative matter. The hacker then uses your password to loot your account. “Spear phishing” is when the emails are prepared with specific individuals in mind. The purpose here is to get specific information from, say, a bank manager, or someone known to be working on a secret project. In the Guam case, the targets of the spear phishing test were asked to go to a web site and fill out an application form to be eligible to be an extra. That form asked for information that would have enabled hostile hackers to gain more access to air force networks. A lot of the airmen who received the Transformers 3 email, responded. The air force won’t say how many, but it was more than expected. A lot more.
I doubt that many readers need to be told this, but no legitimate bank or financial institution should ever be sending you an email requesting you to follow an embedded link and log in to your account. If you get such an email, forward it to the bank’s security folks. If it’s legitimate, they can confirm it for you, but in 2010, no sensible bank should be communicating with you in this way.