Target: busy executives

A recent report in PC World illustrates the increasing sophistication of online phishing expeditions:

Panos Anastassiadis didn't click on the fake subpoena that popped into his inbox on Monday morning, but he runs a computer security company. Others were not so lucky.

In fact, security researchers say that thousands have fallen victim to an e-mail scam in which senior managers such as Anastassiadis are told that they have been sued in federal court and must click on a Web link to download court documents. Victims of the crime are taken to a phony Web site where they are told they need to install browser plug-in software to view the documents. That software gives the criminals access to the victim's computer.

This type of targeted e-mail attack, called "spear-phishing," is a variation on the more common "phishing" attack. Both attacks use fake e-mail messages to try to lure victims to malicious Web sites, but with spear-phishing the attackers try to make their messages more believable by including information tailored to the victim.

I guess the "Security update from your bank" scam has started to hit the point of diminishing returns. This newer scam promises to be more lucrative for a while, until spam filters start to catch on to them. It will take more time, as the personalization of the initial phishing message will tend to give that message plausible details that would deter spam software from tagging it.

As always, watch what you click on, especially if it seems alarming (court summonses, subpoenas, tax documents, etc.).