Phishing is similar to an online con game where attackers send fraudulent email messages appearing to come from trustworthy sources to gain personal information. These types of scams vary in their complexity and their attacker’s objectives, with spear phishing and whaling attacks being the more sophisticated forms of phishing.
Gone are the days when spear fishing meant “what you do while vacationing in the warm waters of the Caribbean.” On that same note, “whaling” has nothing to do with the mammals nor one’s ability to have a “whaling good time.” Now the terms are synonymous with being aware of what comes through your inbox.
Phishing attacks have been steadily rising and are increasingly targeting businesses. According to Verizon’s Data Breach Investigations Report released last year, 23% of recipients open phishing messages and 11% of those people open the links within these emails. Furthermore, 50% of these recipients open and click within the first hour. Email filtering can catch some phishing attempts, but not all, due to the rate at which these emails are opened.
Spear phishing is directed at individuals and whaling attacks are directed at senior level executives, also known as the “big phish,” who have access to valuable information within a business or organization. These attacks may occur utilizing a malicious email that appears to come from a company executive.
What is Spear Phishing?
Spear Phishing is a scam and you are the target. It is an email that appears to come from a business or someone that you know, but in reality, it is malicious in form and seeks to obtain sensitive information (bank account numbers, passwords, financial information, etc.).
The spear ‘phisher’ thrives on all there is to know about you. They research job titles, partner information, company background, LinkedIn accounts and personal social media outlets to entice you into opening their emails. Just take a moment to think about how much information is available about you on the Internet. Did you take pictures from a recent trip to Paris and share them on Instagram; run a half-marathon where your name and completion time are easily accessible; or simply post the College that you graduated from?
Once the spear phisher has this information – game on! The next email to you will probably use your first name, reference a “mutual friend,” how great you looked in Paris, and congratulate you on finishing first in your age group.
What are “Whaling” Attacks?
Whaling attacks are the “it” hack of 2016. Whaling uses e-mail sent from spoofed or similar-sounding domain names to make it appear as though these emails were sent from senior executives of a victim’s company. This requires targeted research focused on the identity of an employee and the organizational hierarchy within a company. This outreach is less personal in nature. Whaling emails may be more difficult to detect because they don’t contain hyperlinks or a malicious attachment, they rely solely on tactics that depend on human interaction and to manipulate their targets.
According to the security firm, Mimecast, around 55% of organizations have seen an increase in whaling attacks over the last three months. Their research further suggests that in 72% of the cases whaling emails appeared to be sent by the CEO of the company, while 36% seemed to come from the CFO.
Whaling attacks have been identified by hackers as the “golden goose.” If you receive a branded “company” email that promises reduced costs for pet insurance, be careful about opening any links or any attached forms–especially if you just welcomed a brand new Labrador Retriever puppy into your life. These links may contain malware that opens up the gates of your corporate network.
To avoid these damaging attacks, below are three helpful guidelines to help you stay protected. You may also contact your IT Security Provider for more information.
Navigate your Inbox
Always pay attention to who the email comes from. If you are not familiar with the business or person it is coming from, you might not want to open. If you do open it, avoid clicking on any links until you can verify the identity of the sender. If it comes from your CEO, you are still not in the clear. Check the URLs to make sure everything is legitimate. If you are the only one being offered pet insurance in the company, you know there is a problem.
The subject line might help in determining whether or not the email is malicious. However, we do heed caution especially if the subject references an online purchase like, “Thank you for your recent iTunes purchase” as an example.
As phishing gets more sophisticated, this may come less into play. However, read through the email to ensure that everything is spelled correctly, written in a clear manner, etc. These are telltale signs that the email may not have come from a trusted source. Very rarely will you receive emails from a C-level executive within your firm sending emails that are not grammatically correct.
The Call to Action
If you ever receive an email asking that you send personal information, login credentials or open an attachment – don’t do it. Is there a moment where you would actually contemplate giving out your social security number via email these days?
General Rules to Follow
Button up personal information that is living on the Internet. If you don’t, spear phishers have access to your friends list, email address, posts showcasing your Apple watch, etc. Keep as much information as possible restricted by customizing your security settings. The less information out there about you, the less you are giving a spear phisher to go by.
In addition, don’t sign up for apps through social media unless it is reputable. Every time you enter your information is another opportunity to be hacked.
Think about your passwords. Is it your birthday that is listed on your social media site? Or another date of significance? Do you use one password or variations of that one? What about “123456” or “password”, the two most commonly used and easily hackable passwords other there. Click here for more information on what makes a good password.
Every password for every site should be different, really different and should include multiple characters. If you follow these rules, please do not keep a standing list on the note section of your iPhone. If your iPhone gets stolen, not only did they get a new device but, more importantly, that device has just become their “golden ticket” at your expense.
There are a number of password management applications out there that will generate strong passwords for you. Your only requirement is to remember the password that gets you access into that application. Through Managed IT Services, password updates and changes will be proactively managed by your provider for security purposes.
Since most operating system and browser updates include security updates, always update your software. By doing so, you will make it that much harder for an intruder to break through when your applications are up to date.
Keep Your Wits About You
Use common sense when responding to emails. How many times has a personal friend emailed you to obtain your personal passwords and login credentials? Probably never. If there is something suspicious about an email you received, reach out to your friend, company, or senior executive that sent it to you. Do not feel pressured to provide personal information even if they are playing on your emotions. Always be suspicious of unsolicited email even if it comes from you CEO.
See firsthand how much information is out there on the Internet about you. Don’t forget any posts that you may made on other people’s pages or company updates on LinkedIn. Is there enough information out there that a phisher or whaler can scam you?
Manage your inbox with caution. Hacking techniques will continue to get more sophisticated in nature, which is putting all businesses at risk. If you are not satisfied that your organization is secure or would be able to respond to an attack, contact us. We have helped businesses like yours respond in times of crisis and put processes in place to guard against such attacks.