Something Phishy

“Please have this done ASAP!” Receiving an email with this subject line from your boss can get your heart pumping and your keyboard clicking a little faster than they should be. These are the exact circumstances that cyber criminals work to create in order to prey upon unknowing victims when their guard is down. Cyberattacks are no longer something that only happens to major companies or as a result of someone walking in with a floppy desk with a virus downloaded on it. According to Cybersecurity Ventures, the global annual cost of cybercrime is predicted to reach $8 trillion USD by the end of this year, and is expected to reach $10.5 trillion by 2025.5 The best defense against cyberattacks is a well-informed staff and up-to-date software on all computer systems. While this article can not help with the latter, it can bring attention to some possible attempts to attack that you are likely to encounter. The following is an overview of two of the most common, and often costly, forms of cyberattacks that are affecting businesses and individuals today – whaling and spear phishing.

Whaling

Did you just get an important email from your CEO or is it a scam? While it is possible that the CEO of your company has asked you to wire half a million to his Swiss bank account, it is much more likely you have just received an attempted cyberattack called “Business Email Compromise (BEC)” or more commonly known as a Whaling Attack.2

C-Suite level targets

  The targets for whaling attacks are those that have the corner office with a capital C in their title – CEO, CFO, COO. The reason only the upper echelons are targeted for these attacks is that it takes a great deal of research and effort to pull off one of these stunts. Whaling cyberattacks are emails that are socially engineered to portray a legitimate company executive. They often convey a sense of urgency to the user, demanding an immediate response.1

  While we think we would be able to recognize an email from our bosses, it’s not always as easy as spotting a misspelled word in the letterhead or an incorrect address. Theses attackers go to great effort to mimic the jargon of the industry and tie in publicly available information to add legitimacy to the email. These attacks often state that one executive needs you to prepare information or transfer funds for another executive that you are familiar or even work with. 

What do they gain?

Should the attacker be successful in getting the target to grant them access to the system via downloading malware or directly giving them their login credentials, the end results will fall into one or more of the categories:4

·   Financial Gain

·   Data Theft

·   Malware Installation

·   Credential Harvesting

·   Espionage

·   Reputation Damage

·   Disruption

Spear Phishing

Spear phishing gets its nickname from the fact that these attacks are personalized with information from social media or publications on the internet and aimed at targets who have heavy email traffic. In contrast to phishing attacks, it is the difference between fishing with a net versus phishing with a spear. Phishing attacks throw a wide net for possible targets and are often sloppy and easily detectable.  Spear phishing is similar to its name’s sake - attackers take a single stab at a single target with much more effort and dedication with the intent to yield higher results for the attacker.

What makes Whaling different from Spear Phishing?

  The key differences are the targets and the intended audience. Whaling attacks are indirect attacks on the individual. There is rarely direct contact with the individual who is being impersonated, and the active agents are the recipients of the masqueraded emails.  Spear phishing is a direct interaction from an attacker and the target, often entry level employees, aimed at gaining base level entry. The attackers sometimes pose as a colleague, friend, boss, or even a Nigerian prince!

These two share similar tactics but the difference is the variance in effort input and level of reward. Spear phishing requires a low level of effort in comparison to whaling, but the level of reward achievable is proportionately lower compared to the whaling tactic.

How to avoid Cyberattacks

Check the email address very carefully

Phishing email addresses will do their best to mimic real email addresses but will often have extra digits or letters in the address.  And if the email address appears correct, the origination will be unfamiliar.  For example, instead of @hhmcpas.com, a hacker might use @hhmcpas.int2.  Paying close attention to email addresses if an email seems suspicious and/or verifying with past emails to ensure that the email address is legitimate is a safety control to protect yourself against cyberattacks.

Do not open shortened links

Shortened links are known for hiding malicious websites and malware programs. When receiving a text from unknown numbers, do not open any hyperlinks unless previews are allowed and you were expecting the message. Verifying all links sent will avoid hours of text support calls trying to get information back or funds back.

Conclusion

Cyber security is an ever-increasing expense companies are finding themselves having to increase year after year. There are no limits to the number of threats that one will face in the ever changing and rapidly evolving business climate, but that does not mean that there is nothing you can do about it. Taking steps to ensure that your data is protected, that all your tech has the latest version of all software, and by educating yourself and your staff will all go far to ensure that you do not become a victim of cyberattacks.

 

References:

National Cyber Security Centre (N.C.S.C) (2016, October 6). Whaling: how it works, and what your organization can do about it. Ncsc.gov.uk. https://www.ncsc.gov.uk/guidance/whaling-how-it-works-and-what-your-organisation-can-do-about-it

Sharma, L. (2022, September 29). Phishing, Spear Phishing, and Whaling. Www.nyu.edu. https://www.nyu.edu/life/information-technology/about-nyu-it/nyu-it-news/the-download/the-download-features/phishing-spear-phishing-whaling.html

Imperva. (n.d.). What is Spear Phishing | How is it different from Whaling Attacks | Imperva. Learning Center. https://www.imperva.com/learn/application-security/spear-phishing/

Spasojevic, A. (2023, September 26). What is a Whaling Attack? Identify & Prevent Whale Phishing. PhoenixNAP Blog. https://phoenixnap.com/blog/whaling-attack

2022 Official Cybercrime Report. (n.d.). ESentire. https://www.esentire.com/resources/library/2022-official-cybercrime-report#:~:text=According%20to%20Cybersecurity%20Ventures%2C%20the%20global%20annual%20cost

Download