Gone Phishing, Spear Phishing and Whaling

Photo of author
Written By Robert Dunford
I am a Marketing Consulting in the Great Toronto Area with over 25 years experience in building and implementing marketing plans for small business.

Last night I returned to my old stomping grounds at the University of Toronto, Mississauga Campus, for a #ClassesWithoutQuizzes discussion about your digital footprint.  The focus of this event was on understanding how email fraudsters try to fool you and protecting yourself from these criminals.  It was also suggested we share what we learned here tonight, so I am posting this for my Blog readers and will share as much as I can.

The presenter, Ryan Duquette of Hexigent Consulting, told a packed house and a live webinar group that Phishing (pronounced like “fishing”) is a form of fraud where an attacker masquerades as a trustworthy entity to gain information from a potential victim.

This information can include things such as logon credentials, account information, credit card details and more. Phishing attacks normally occur through emails, however can also be by phone calls or by leading victims to fake (though legitimate looking) websites.

Traditional Phishing Emails Phishing scams have been around for some time. Think of the “Your bank needs you to confirm your account details” type emails, or the “Strange person sending you an attachment” type emails or the rich relative living in Nigeria as the most obvious examples.

Generally, most phishing attacks want the victim to do one of the following:

  1. Enter their PII (Personally Identifying Information)
  2. Click on an attachment
  3. Click on a link to a webpage

Many enterprise (and home based) email scanning programs weed out such emails, or at least mark them as junk or bulk. There are a few indicators that an email might be phishing for your information. Phishing attacks are becoming very commonplace and are a huge concern for many enterprise environments, especially those that house client information.  Many of these traditional phishing emails are either riddled with spelling mistakes, or just don’t make sense.

Mr Duquette went on to explain that Spear Phishing is similar to traditional phishing attempts, but many of these attack emails are personalized to individuals or companies. Attackers often gather information about their targets using a variety of methods (social networking and online sources being the most common) and utilize that information to “personalize” an email, rather than just sending it to an email address. This personalization dramatically increases the success of an phishing attack.

An extension of Spear Phishing, Whaling emails are a form of spear phishing emails that usually involves someone masquerading as a senior level executive (usually C-suite) asking another employee (usually finance) to transfer money (usually to a vendor). The reason they are called “Whaling” is that, like a sales environment, these types of scams often involve large transactions, and the traits of the perpetrator are strikingly like those mentioned above for sales representatives.

Many perpetrators of “Whaling” work in teams, gather large amounts of intel from their target, engage in social engineering, take their time, and build relationships.  Whaling emails are not as easy to identify. They are meticulously crafted, often contain information relevant to either the recipient or the perpetrated sender, and are often followed up by more emails. Perpetrators of these types of emails often gather information from open source channels (social media, news, company website) to include in the emails. In the last two years, this form of phishing has cost business over $2 billion (yup that’s a billion…. with a “B”), and has also cost many a CEO their job.

Recent reports show that that over 97 percent of phishing emails are associated to ransomware. The number of phishing emails used to spread ransomware is increasing, which is largely the result of sophisticated spear phishing attacks.

Criminals are gathering intel from the web to determine which companies do business with each other, and who to directly target at a company, and then use that information to generate targeted spear phishing emails using automated tools. Like other automated sales processes, criminals are automating the gathering of information and phishing email campaign generation.

Top 4 solutions for protecting yourself from these types of scams:

#1. Whoa There Cowboy.

Many of us have a Pavlovian response when it comes to our emails. The second we hear the “ping” from our phone, or see an email pop up on our screen, we instantly want to open it.  Criminals know this. And they also know that if they add more pressure (often by using the words URGENT, IMMEDIATELY, or CRUCIAL), you will be more likely not only to open an email, but potentially open an attachment or respond following orders (especially if it is coming from your CEO).

The 2016 Verizon Data Breach report shows that even waiting an hour before opening an email dramatically reduces your chances of being a victim. Waiting even longer (4+ hours makes the rates of opening emails and attachments almost none existence).

#2. TIPC – Timing / Intent / Person / Content

Before opening an email, and especially before opening any attachments or clicking links contained in the email, take a closer look and think about these 4 aspects.

Timing: Is the timing of the email correct? Are you expecting an invoice from someone, a document from someone, a file from someone? If not…be a little suspicious.

Intent: What is the intent of the email? Is it to either get you to

  1. Enter your PII
  2. Click on an attachment
  3. Click on a link to a webpage

If so, be a little cautious.

Person (from): Who is the email from? Someone who know, or don’t know? Does the name in the From: section match the name in the body of the email? If all you see is a name in the From: section, there are various methods (depending on your email program) to see the full email address. Look for spelling mistakes.  John.Smith@feddex.com

Does the email have a signature? Often whaling attacks are disguised as an email coming from a CEO’s mobile device that often do not have official company signatures attached to the name.

Person (to): Look at the To: section of the email. Is it addressed to only you and others you know? If there are other email addresses in this section you do not know, it may be a spam email. Is the body of the email personalized (not just the typical “Dear Customer…”)? While looking at these areas does not always mean the email will not contain malware, it will dramatically cut down on your risk of falling for a general phishing attempt.

Content: Are there spelling mistakes or grammatical errors in the email. Does the content of the email make sense? Would a CFO of a company be emailing you a receipt? Would your CEO be emailing you asking for a money transfer to be made?

#3. Take another route.  Just because an email says that you need to “verify” something, doesn’t mean that you have to click on the link in order to follow the instructions. Take your own path and go to the source directly.

Education – Guess what? Just by reading this post, you are less likely to be a victim of these types of phishing attempts. Education on cyber hygiene best practices has been shown to dramatically decrease rates of phishing victimization. Share your new-found knowledge with others. I often get emails from a family member which contain links to very odd looking websites, or contain attachments which are often used to spread malware (zip files). This family member recently sent an email to many people in my family. I replied to everyone and gave a brief “education moment” on these types of emails and the risks of opening them.

It is often best to get confirmation before running an executable or opening suspicious documents or files that you are not expecting. This is especially important before making any sort of money transfer.  Kick it old school and pick up a phone….or even better….talk to someone if you can before following the instructions in an email.

Special thanks to Ryan Duquette of Hexigent Consulting for providing this content for posting.  Robert Dunford

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Pin It on Pinterest