Spear Phishing

Phishing is a game of numbers. Fraudsters pump out thousands of e-mails that persuade some recipients to click a link to, say, a phoney financial institution's Web site, where they divulge bank and credit-card details. Because Internet users are wising up, phishers have devised a new approach: "spear phishing," with barbs customized for each victim.

Spear phishers gather information, usually on the Internet, about an individual, and then craft a personalized e-mail more likely to dupe the mark. According to the FBI, the personalization method has proved so profitable that a significant number of spear phishers, principally located outside the United States, began applying it to death-threat extortion e-mails for the first time last December. FBI spokeswoman Cathy Milhoan says the problem is "huge."

Here's how it works: A spear phisher collects information on an (often wealthy) individual, then writes a chilling e-mail. The sender, posing as a hit man, offers to spare the recipient in exchange for a large sum of money. If the ploy doesn't work, the target receives a second e-mail, purportedly from the police, explaining that his or her name and address were found on a recently arrested murder suspect. "The victim gets scared, gets paranoid, he gets a lot of things," says Alan Paller, a cybercrime expert with the Bethesda, Maryland, SANS Institute who has testified before the U.S. Congress on the matter. The target provides personal details--including financial data--to aid theinvestigation.

Traditional extortion often involves tailing targets and staking out their homes to obtain the particulars--such as the appearance of a victim's daughter--that render threats credible. Today much of that information is easily gleaned from the 'Net. Dan Vogel, an Edmond, Oklahoma, former FBI profiler, says social-networking Web sites such as MySpace are "fueling" the trend.

Nobody knows how many threats reap payoffs. But the number of victims will likely increase, says Bill Westhead, director of Crime Scene House, a Lancashire, England, consultancy that advises law-enforcement agencies. Online extortion is popular because criminals' chances of getting caught are "vastly reduced," he says.

Although most death threats are bogus, law-enforcement agencies still have to sort through them all. The result: more bona fide threats, buried in the surge of shams, may escape police scrutiny.