Á½ÐÔÉ«ÎçÒ¹

Spear Phishing and Whaling

Spear Phishing  is a form of Social Engineering, and it casts out emails to a targeted group.  It targets specific individuals/group this way the attackers can customize their communications and make them appear more authentic. They will often have some inside information on their targets, by either social engineering, or researching through websites, social sites etc...  They might already know your name, or your hometown, your bank, or your place of employment and this information is easily accessed via social media profiles and postings. Then they send e-mail that looks like the real thing to you, offering all kinds of reasons why they need your personal data. That bit of personalized information they have adds a lot of credibility to the email.  Spear phishing works because they're believable.

In these campaigns, attackers target an individual or a group of people holding a high degree of authority within an organization, such as managers or executives.

They make it sound urgent and legitimate and give you enough information to look like they are real.  They will ask you to click on a link inside the email and it will take you to a phony website that might look real and have you provide passwords, account numbers. user IDs etc...

Spear phishing is a simple, yet targeted and dangerous email based cyber-attack. Unlike normal phishing methods which require zero research by the attacker, spear phishers usually do their homework beforehand: the victim’s social media accounts, their position within the company, who they might work with, even other private data like home address or telephone number which could come from previous phishing attempts. Spear phishing is often used in attacks with high-profile targets, such as CEO fraud, or business email compromise.

You have probably seen a spear phishing email before (see examples below):

  • Could you please log into your file sharing account and review the following document, proposal, file etc...
  • We noticed an issue with your social media account.  Follow the attached instructions to fix the issues as soon as possible.
  • There's been unauthorized activity on your bank account. Click here to log in and fix the problem.

 

Whaling

Whaling is a higher form of a Spear phishing attack where attackers send a message that appears to be from a chief executive officer, the chief financial officer or another C-suite executive.   The attackers will research their targeted individual, collecting personal information from online profiles, social media accounts etc...

The email the attacker creates what will look identical to an email from a legitimate business/university, making it difficult to spot as a "phish".  These whaling email messages will typically ask recipients to make wire transfers to vendors who turn out to be fraudulent, to reveal sensitive business information or employee data that hackers can use to steal identities, gain access to business systems, or visit a spoofed website or even send payroll files to a spoofed email address.  If you visit the spoofed website, or it may even ask you to enter sensitive information like passwords, bank account numbers, or Social Security Number.

 

How do you recognize a whaling email?

  • Request for a transfer of funds or sensitive information.
  • Urgent or threatening tones that is intended to make you act quickly and not take time to talk to anyone about it or double-check for information about it.
  • The senders email address in a whaling email may have the person's name on it but the email address itself will be slightly altered to look real.
  • For example, an email from [your boss's name].Kent.edu@gmail.com

 

If you suspect you have received a whaling attack, spear phishing or phishing email - you should report it immediately to phish@kent.edu!