Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site.
The yearly overall effect of phishing could be as high as US$5 billion. Better source needed Attempts to manage phishing occurrences incorporate enactment, client preparing, open mindfulness, and specialized safety efforts - on the grounds that phishing assaults additionally frequently abuse shortcomings in current web security.
Phishing types
- Spear phishing
- Clone phishing
- Whaling
- Link manipulation
- Filter evasion
- Website forgery
- Covert redirect
- Social engineering
Within all these nasties there are more targeted forms of phishing, such as spear phishing and whaling. Since we didn't really focus on these in the guidance, this blog takes a quick look at them now.
whaling phishing
A whaling is a common cyber attack that occurs when an attacker utilizes spear phishing methods to go after a large, high-profile target, such as the c-suite. Malicious actors know that executives and high-level employees (like public spokespersons) can be savvy to the usual roster of spam tactics; they may have received extensive security awareness training because of their public profile, and the security team may have more stringent policies and heftier tools in place to protect them. This leads attackers who try to phish these targets to look beyond the same old tried-and-true tactics to more sophisticated, targeted methods.
A whaling attack, also known as whaling phishing or a whaling phishing attack, is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company, as those that hold higher positions within the company typically have complete access to sensitive data. In many whaling phishing attacks, the attacker's goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.
Whaling attacks often depend on social engineering techniques, as attackers will send hyperlinks or attachments to infect their victims with malware or to solicit sensitive information. By targeting high-value victims, especially CEOs and other corporate officers, attackers may also induce them to approve fraudulent wire transfers using business email compromise techniques. In some cases, the attacker impersonates the CEO or other corporate officers to convince employees to carry out financial transfers.
Examples of whaling attack
One notable whaling attack occurred in 2016 when a high-ranking employee at Snapchat received an email from an attacker pretending to be the CEO. The employee was tricked into giving the attacker employee payroll information; ultimately, the FBI investigated the attack.
Spear Phishing
Spear phishing is a variation on phishing in which hackers send emails to groups of people with specific common characteristics or other identifiers. Spear phishing emails appear to come from a trusted source but are designed to help hackers obtain trade secrets or other classified information.
In spear phishing, an email appears to come from an organization that is closer to the target, such as a particular company. The hacker's goal is to gain access to trusted information. This is often as simple as looking up the name of a CEO from a corporate website and then sending what appears to be a message from the boss to email accounts on the corporate domain.
Threat Group-4127 (Fancy Bear) used spear phishing tactics to target email accounts linked to Hillary Clinton's 2016 presidential campaign. They attacked more than 1,800 Google accounts and implemented the accounts-google.com domain to threaten targeted users.
Clone phishing
Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.
Differences between phishing, whaling phishing and spear phishing
Traditionally, phishing describes the general noise of malicious emails that are spewed out across the internet in vast quantities. The phisher is hoping that eventually one will arrive in the inbox of someone who happens to use that bank, or has just made a purchase at that online retailer, or is just having a bad day, and they click. The phisher gets a new password to add to their collection, or maybe a new machine to add to their botnet.
A whaling attack is a special form of spear phishing that targets specific high ranking victims within a company. Spear phishing attacks can target any specific individual. Both types of attack generally require more time and effort on the part of the attacker than ordinary phishing attacks.
Where exactly is the cut-off point between phishing and spear phishing? Is targeting people from the UK with HMRC tax return emails spear phishing? What about mentioning the company name or a local landmark in a company-wide campaign? What about a mass mail out with stolen account numbers? These are all forms of targeting.
While ordinary phishing attacks usually involve sending emails to a large number of individuals without knowing how many will be successful, whaling phishing attacks usually target one specific individual at a time - typically a high-ranking individual --with highly personalized information.
Defending Against Whaling
First, be cognizant of the kind of information public-facing employees are sharing about executives. Details that can be easily found online via sites like social media, from birthdays and hometowns to favorite hobbies or sports, can help whaling emails seem more legitimate. Major public events can also lend whaling emails the guise of legitimacy. Remind executives or spokespersons that during these high-publicity times, such as a major industry conference or company event, they'll be in a spotlight in more ways than one, and to be especially wary of their inbox.
Next, foster an organizational email culture of "trust but verify." Encourage employees of all levels to verify the veracity of urgent, unexpected messages through another communication channel—like talking to the sender in person, or calling or texting them—and have executives and senior management lead by example.