WATCHSpear Phishing and Whaling – When Hackers Get Personal – Day 9 of Cybersecurity Awareness Month 2021
Shelly Miller
Well, Craig, I was hoping that you could tell us a little bit about spearfishing and whaling today.
Craig Taylor
That’s a great topic for Cybersecurity Awareness Month. So spear fishing. spear fishing is very much like fishing, but it’s targeted attacks on specific individuals. phishing attacks are sent out by hackers to millions of recipients with generically addressed emails, dear sir, dear ma’am. But with a spear phishing attack, the hacker takes the extra time to research the person of interest or the attack key and send them targeted phishing messages that says Shelly, or Mike, you have this urgent thing to deal with your PayPal accounts been frozen, or something along those lines, but it’s specifically targeted at an individual. whaling is the very same thing, only it’s targeting higher value targets. So for example, anyone in a company could be Spearfish, but the president or the CFO, CEO, that is those targets are researched, you know, 10 times as long on social media and public archives of data to make a very convincing phishing attack against a very high value target. That’s what whaling is.
Shelly Miller
Okay. So how did these attacks happen?
Craig Taylor
Well, it’s a standard method of all social engineering attacks, they either do it in person, but more likely logically through an email. If you’re a president of a company, and you get a little bit, too, you share a little too much information on social media. Let’s say your dog was in the hospital recently, and you complain on social media about the cost of looking after that pet. As the president of that company, you might receive an email the next day that says, we’ve reduced your veterinary bill, based on your feedback on social media, download this form to explain why and we will reduce your fee. And it’s a totally spoof message. It didn’t come from the animal hospital. It’s an example of using social media information to target a high value person to infect their computer with malware, the moment that CEO downloads that file, their computer could be infected, and their company network and data could be compromised.
Shelly Miller
Okay, so how can we spot them and stop from being a victim of them.
Craig Taylor
them? It’s the exact same message that we give for phishing attacks, you need to understand how to spot and delete phishing attacks across your entire company, whether it’s a whaling, spear phishing, or normal phishing attack. Is the email unexpected? does it create a sense of urgency? Is it generically addressed? Although in spear phishing and whaling, it may have your name, so that wouldn’t be a factor? Does it have weird or hidden URLs that you might click on? Are there spelling, punctuation and grammar mistakes? Does it contain an enticing or voyeuristic attachment that has, for example, salaries.xls. These are the questions you ask yourself anytime you get an email that you weren’t expecting, and it just doesn’t sit right with you. And if you answer yes to any two of those, you’re being attacked, delete the message. The worst that can happen is you have to call that person back and say, you know, was this they may have to send it to you again.
Shelly Miller
Okay, very good. So follow the tips if you have two of the factors do not open or respond to the email. Beware.
Craig Taylor
Yes.
Shelly Miller
Perfect. Thank you.
