Spear-phishing: are scammers targeting you?

How fraudsters use your personal information against you 
Tali Ramsey

Personalised scam messages are much more convincing than generic ones – if a scammer can gather enough information on you, you’re a target.

Spear-phishing is cleverly used by scammers to evade the usual evidence you count on to detect scams.

When non-specific language is replaced with your name, address and date of birth, as well as something distinct, such as where you work or where you went to school, it's much easier to get conned by scam messages.

However, there are ways to scrutinise spear-phishing attempts and detect what's genuine and what isn't. Read our tips below to find out how.

(A version of this article was published in the June 2024 issue of Which? Tech magazine.)

News, deals and stuff the manuals don't tell you. Sign up for our Tech newsletter, it's free monthly

key information

What is spear-phishing?

Spear-phishing uses information gathered on us to make scam messages more convincing. Generic emails, texts or messages saying that your bank account information has been compromised are transformed into eye-catching messages filled with your personal details, prompting you to take a second look.

The restaurant hack

Chris received a call from Piccolino Restaurant in London saying the venue owed her the £30 deposit she supposedly made when booking via OpenTable. Although she did book the restaurant via OpenTable, she didn't recall making a deposit.

The caller went on to tell her she could refund the deposit via a voucher – or reimburse it back to her card. Chris thought it didn’t seem right for a member of staff to take card details over the phone.

After Chris expressed her doubts, the caller's tone noticeably changed and became agitated. ‘It’s up to you if you want the deposit back or not’. Chris repeated her card number and expiry date.

She was still suspicious but the caller reassured her: ‘How would I know that you came into the restaurant at 5pm, left at 6.30pm and were celebrating a 60th birthday?’ This was all correct, and Chris went on to give the three digits at the back of the card.

After finishing the call, Chris descended into a complete panic as she knew something wasn’t right. A few minutes later, she received another scam call purporting to be from her bank.

Luckily, Chris realised this before it was too late, called her bank on a trusted number and cancelled her card. 

What did the restaurant say?

We contacted the owner of Piccolino Restaurant, Individual Restaurants, and were told: 'One of our restaurants was subject to a phishing scam on 20 August 2023. It was an isolated incident during which a scammer was able to access the database for this specific restaurant, which contains phone numbers and booking details made via OpenTable.

'We responded promptly following notification of the incident and immediate steps were taken to close down access to the database, as well as contact any guests who may have been impacted. Further measures have been implemented internally, in partnership with OpenTable, to prevent future incidents.'

How do scammers get your data?

If you’re wondering how a spear-phishing fraudster does their research, think back to that picture of your last holiday which you posted on Facebook or the work history in your LinkedIn profile.

In a survey* where we delved into the social media habits of thousands of people in the UK, we found that on their public Facebook profiles:

  •  68% of respondents share their names 
  • 46% share their ages 
  • 35% share their locations. 

This can give a scammer some basic information to address you by name and include your location in a scam message.

  • 21% of respondents share their places of work 
  • 32% share their birthdays 
  • 12% share their phone numbers and email addresses. 

Now, a fraudster could call or email you, impersonating a colleague or offering you a job in your field.

  • 18% of respondents share places they’ve visited 
  • 9% share their real-time location on their public Facebook profiles. 

This information can allow fraudsters to develop seemingly uncanny messages that know where you are and where you’ve been.

What if you lock down your social media profile?

Even if you lock down the information you put out online, you can still be a target. Think of all the websites you visit and the ton of data you give away when you do. While this data isn’t used for nefarious purposes, it can be if fraudsters are able to access it, and once data is breached, criminals can use it to create spear-phishing messages.

If you receive a message or phone call with information that only you would know, think about whether the details are truly exclusive knowledge and ask yourself: ‘Is there any way someone could find this out?’ 

Find out how to spot and protect yourself from scams

Who falls for scams?

Our survey* found that:

  • 72% of Gen Z respondents have clicked on a link sent to them in a direct message from a friend or family member, compared to 57% of baby boomers.
  • 15% of Gen Z respondents have clicked a link sent to them in a direct message from a stranger; only 3% of baby boomers had.
  • 13% of respondents have provided personal information online as a result of clicking a link sent to them in a direct message. If we extrapolated that to the UK population, we’re talking about 7.7 million people. 
  • 32% of respondents shared their birthdays on Facebook, and 14% shared them on public LinkedIn accounts.
  • 20% shared their location on public Twitter accounts, and 15% shared their real-time location on public Snapchat accounts.
  • 49% had private profiles on Facebook, 34% on Instagram, 19% on Twitter and 17% on TikTok.
  • 24% shared images and or names of their friends and family on public Facebook accounts, 18% on public Instagram accounts. It’s good etiquette always to ask before you share.

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts
Registrieren Sie sich

6 ways to protect yourself against spear-phishing

Every online or in-app click on your device takes you through page after page, capturing various data about you and your habits. Everything you type online puts more information about you onto the web.

Here are some methods of protecting yourself from scammers spying on you:

  1. Temporary emails - Register on websites with a temporary email address to protect yourself against potential email leaks. You can use services such as Temp Mail, Guerilla Mail or Apple’s Hide My Email tool if you have an iCloud subscription.
  2. Check data leaks - You can see if your data has been leaked at haveibeenpwned.com. Google users can visit passwords.google.com/checkup to see if any of their username and password combinations have been breached.
  3. Protecting your devices - In our survey, we found 55% have antivirus software installed on their laptops and 25% have it on desktops. Discover the best antivirus to protect your data.
  4. Social media sharing - Making social media profiles private keeps them away from potentially prying eyes. (Which? Tech subscribers should see our April issue, p16,  to find out how you can lockdown your account.) You should also think twice about oversharing.
  5. Suspicious messages - Follow classic scam advice including being wary if you’re contacted out of the blue or are offered something that seems too good to be true. Being asked to share personal and financial data or being pressured to make a decision are also red flags. And don’t click on links in suspicious messages.
  6. If in doubt, get in touch - Not sure if a message is genuine? Go to the company’s website. Don’t click a link in an email or message to do this – use a search engine or type the URL directly into your browser. Then, check the website for the best way to contact the company. This may take a little longer, but you’ll know you aren’t being scammed.

Find out more - 11 things every smartphone owner should do to keep their data safe.

 Join Which? Tech Support

Which? Tech Support can help you keep on top of your home tech. Our experts explain things clearly so that you can resolve issues and feel more confident using your devices. Know someone who will benefit from a Tech Support subscription? Give the gift of a year's worth of expert advice.

Get unlimited 1-2-1 expert support:

  • By phone – clear guidance in choosing, setting up, using and resolving issues with your home tech devices.
  • By email – outline the issue, and we’ll email you our answer.
  • By remote fix – we connect securely from our office to your home computer and resolve issues while you watch.
  • In print – Which? Tech magazine, six issues a year, delivered to your door.

You can join Which? Tech Support. Know someone who will benefit from a Tech Support subscription? Give the gift of a year's worth of expert advice.

Which? Tech Support package

Get Which? Tech Support for £49 a year

Contact our experts for unlimited 1-to-1 support by phone, email or remote fix.

Find out more

*Our survey

We surveyed 2,098 UK adults in January 2024. The results were prepared by public opinion consultancy Deltapoll for Which?

More on this

Related articles