Phishing for Your Information: Spear-Phishing and Whaling Explained

Did you know that 91% of cyber attacks are spear-phishing attacks? This makes them the most dangerous threat to individuals and organizations alike. In this blog, we define what spear phishing and whaling are, how to recognize a potential attack and how to protect yourself and your organization.

Spear-Phishing

Spear-phishing is a targeted social engineering attack where the hacker uses targeted information to try and convince users to disclose their or their organization’s confidential information. While phishing attacks are not personalized and are sent out to multiple individuals at once in hopes that some will fall for the ploy, spear-phishing attacks target a single individual or group of individuals that share similar characteristics. The cybercriminals group folks based on similar attributes such as interests, place of work or location and then create specific and detailed attacks targeting those shared characteristics.

Cybercriminals are able to craft these detailed attacks based off of easily available information that you post online. By viewing social networking site profiles like Facebook, LinkedIn or Twitter, they may be able to gather information such as an email address, place of work, friends list and location. Cybercriminals get as much information as possible to craft emails that are believable in an attempt to convince you that they are legit.

Spear-phishing attacks often include messages conveying urgency or the need to act quickly without reflecting on the situation. Attackers often ask for confidential information such as passwords, account numbers and access codes to name a few. You will be asked to provide this information by replying directly to the email, or by clicking on a malicious link.

If you supply cybercriminals with the desired information, the ramifications can be disastrous. With your personal information, hackers can gain access to your personal accounts, banking information and other confidential identification details that can lead to identity theft among other crimes. With company information, hackers can gain access to the company network and steal confidential data such as IP or access codes.

Whaling

While spear-phishing is a specified form of phishing, whaling is even more specific and often only targets a single, high-level individual. There are two types of whaling attacks: 1) which targets high-level individuals such as CEO, COO, CISCO, etc., or 2) where a cybercriminal impersonates high-level personnel and targets other company employees. For both types of whaling attacks, the hackers often try to have the target either authorize or complete large wire transfers.

Unlike spear-phishing attacks which involve some planning, whaling attacks are often very strategic and well-planned, lasting anywhere from a day, to weeks, to even months of planning and communication. These attacks take longer to execute and plan because the payout is expected to be much larger. As a result, whaling attacks are often more difficult to spot and deter.

Whaling attacks involve a high level of detail and personalization. These attacks can include your name, job title, location and other relevant information. Like with spear-phishing attacks, hackers take information from online social networking profiles and use that information to create highly specific and detailed scams. Cybercriminals take their time and every precaution when executing whaling attacks, often consulting more than just your social media accounts because of the potential of a high return.  

How to Avoid a Spear-Phishing or Whaling Attack

Follow these recommended steps to protect yourself and your organization from a spear-phishing or whaling attack:

1.      Watch what personal information you post online

2.      Have a unique and strong password

3.      Keep software up to date

4.      Use common sense when opening emails or checking links

5.      Implement a data protection program

Popular Spear-Phishing and Whaling Attacks

The following attacks have been reported to the Canadian Anti-Fraud Centre. For more examples of reported spear-phishing attacks, please visit their website.

  • Gift cards: The cybercriminal send an email to an employee pretending to be the CEO or another high-ranking colleague and tries to persuade the employee that the high-level official they are impersonating needs their assistance purchasing gift cards for the office. Like with most spear-phishing and whaling scams, the purpose is to persuade the recipient to transfer or disclose confidential information.

  •   Wire transfer: Similar to the gift card scam, the attacker sends an employee an email pretending to be a high-level colleague asking for a urgent wire transfer to a foreign account.

  • Financial industry client scam: Instead of impersonating a high-level individual in the company, the cybercriminal for this scam impersonates an existing client. Like with the other two scams, the attacker directs the company to make an urgent wire transfer.

  • Payroll: The cybercriminal sends an email impersonating an employee requesting a change to their direct deposit information. If the organization complies with the attacker’s request, the employees pay is deposited into an account of the cybercriminal’s creation.

How to Spot a Spear-Phishing or Whaling Attack

According to the government of Canada, the best way to spot a potential spear-phishing or whaling attack is to slow down and analysis the following three things:

  • Email Address: Check to make sure that the address matches the one used in previous communications. Make sure that words are spelled correctly and that there are no additional letters or numbers in the email address or domain name.

  • Formatting: Is the email formatted in a way that resembles past communications with this person or organization? Are there new spelling or grammar mistakes that don’t match past communications with the sender? Are there inconsistencies in tone or word choice that seem different?

  • Urgency: Is there a sense of urgency around the request? Is this urgency explained, and is the explanation logical? Consider if this type of request is what you would expect from the sender and if it resembles past interactions with them.  

Previous
Previous

Ransomware Basics

Next
Next

5 Emotions Used in Social Engineering