Skip to main content

Has your boss requested a faster payment? Don't fall for spear phishing


Avoiding a phishing email sent to ‘Dear Customer’ is one thing - what about phishing emails that are sent from your boss, and reference you by name? This month we’re taking a closer look at spear phishing. These are phishing emails that pertain to be from a manager, a CEO or someone in authority, and are directly aimed at you, the recipient. 

What do we mean by spear phishing?

Spear phishing is a technique employed by unscrupulous individuals to get you to part with your hard earned cash - or if you’re an employee, get your business to part with its hard earned cash. Spear phishing is a little different from your average, run-of-the-mill phishing email because instead of contacting a few thousand different people, they’re just targeting one person. And if they’re just targeting a single person, they can be far more specific in their emails (and by extension, far more convincing). 

To put it in literal fishing terms - if average phishing is a person throwing a huge net into the ocean, dragging it around a bit and seeing what comes back, spear phishing is a person waiting on a boat, watching a single fish, and getting ready to strike. With a huge spear.

Fishing metaphors aside, the way that a spear phishing email targets its victims is by selecting a business ahead of time (Transcendit, for example), assuming the persona of a manager or director in that company, and contacting someone else within the company to request a payment. 

What does a spear phishing attempt look like?

As unscrupulous individuals seemingly never tire of sending us phishing emails, we can show you exactly what it looks like. This is the first email that one of our Directors, Lee, received from a spear phisher. 

As you can see, unlike regular phishing, the email tag for the sender does indeed say ‘Adam Kuznesof’ - another one of Transcendit’s Directors. But the full email address is not Adam’s - instead of ending with @transcendit.com, it ends with @virginmedia.com. However, on some screens (particularly smaller devices) the full email address isn’t visible by default. 

The phishing email doesn’t go in for the kill straight away. By asking the bank’s cut-off time for faster payments, the phisher is establishing trust with the recipient. This is an attempt to appear slightly more natural, and mimic a more normal conventional conversation. 



Saying that, the phisher isn’t messing about with idle chit chat for long. We’ve removed the sort code and account number, but as you can see the phisher has immediately sent over the bank details for ‘Lemac Limited’. We did a quick search, and it looks as if this is a real company. However, the payee's name doesn’t have to be accurate for a bank transfer. 

By asking for a faster payment, the phisher is reducing the amount of time that Transcendit have to contact the bank and prevent the transfer from going through (should the scam be discovered, that is). 

How can I avoid spear phishing?

In many ways, avoiding a spear phishing attempt is far easier than a generalised phishing email - instead of calling Netflix or contacting your email provider to see if the account details really are wrong, all you need to do is get in touch with the person that the email pertains to be from. The best (and fastest) way to do this is via telephone, but if you do try to contact them by email make sure you don’t just hit reply - start a new email thread with the email address you have for the sender in your address book.

Ensuring that you, your colleagues and your employees have an explicit system when it comes to processing payments is the best way to avoid this scam. Slow down, read everything carefully, and if in doubt run it past your awesome IT support team.

Tweet us @TranscenditUK


The Transcendit Way

Transcendit understand that when you choose to work with us, whether we're taking care of your IT, app or web development, you're trusting us with part of your business. So whether we're looking after your computers, phone systems or servers we always do things 'the Transcendit way'.

The whole of our team adhere to the same values, beliefs and policies - the principles that were written when Transcendit first formed in 2000. Whether you come to us for a refurbished computer, cloud services or recovery backup you can be confident that you'll always receive the same excellent service.

The Transcendit way outlines how we do business; following the same straightforward principles with every client and customer, regardless of how big or small they may be.

That means we get to know you and your business. We offer you a friendly, professional and efficient service, and we'll always be honest with you.
We understand that not everybody speaks fluent IT, so we try to explain things in a way that is simple and clear. We always spend as much time as is necessary explaining things to you.
If you need to talk to us about something, no matter how insignificant, we are only ever a phone call away – and we’re never too busy to make you a cup of tea and have a sit down with you in person.
We understand how frustrating it can be when things are late. When we schedule an appointment with you, we are there when you’re expecting us. If something prevents us from getting there, we always call you in advance to let you know.
Sometimes things can go wrong, but we never lie to you or try to cover something up. If things go askew we tell you what’s happened and how we plan to prevent it affecting your business.
We want you to continuously benefit from working with us. We regularly discuss your business and make suggestions for improving systems and processes wherever we can – but we never try to push you into a purchase.
When we quote a fixed price, that's always the amount we charge – you won’t find any nasty surprises on a bill from us. If you are paying by time and materials, we inform you if our approximations could change.
We understand the importance of privacy for your business and your customers. We respect the confidentiality of your data, and we will never pass on your information to third parties.
We appreciate it when you take the time to give us feedback. A system called CustomerSure records our client's responses, so you can trust that our reviews are from real people.
Find out what they're saying here.
The app works perfectly and looks great on both iPhone and Android Victoria Brunton, Hospitality Guaranteed

Based on 8237 reviews our customers rate us 9.8/10. Reviews and ratings by Customersure. 28-October-2019

Transcendit are proud sponsors of CHUF, the Children's Heart Unit Fund.