Identifying Spear-Phishing

May 28, 2018

If you have access to financial, payroll, or tax data at MIT, be aware that you may be the target of “spear-phishing” campaigns.

Ordinary phishing campaigns typically cast a wide net and harvest things like login credentials and passwords. Spear-phishing targets individuals with the aim of getting confidential data (e.g., tax documents) or money (through funds transfers). The “spear-phisher” tries to dupe you into trusting them by appearing to know about you or your situation. They do this by accessing publicly available information (your websites, LinkedIn profile, and/or résumé on a job site).

Protect Yourself

  • First, if you are being asked to transfer a large amount of money or provide private personal data, especially tax-related data, ask the requestor to confirm the inquiry in person or call them directly.
  • Second, check the email address that appears when you attempt to reply to the email. If you don’t recognize it, think twice.
  • Remember, always be vigilant when responding to requests for private information!

IS&T asks that you please forward all suspicious emails to so our Security team can improve the Institute’s spam filters and block malicious senders and links. Be sure to forward such emails as an attachment to preserve information the team will need to do so.

Contact BE-IT if you would like to verify whether a suspicious email is legitimate.