Phishing, Spear-Phishing and Whaling – What’s the Difference?

Gone are the days of the benign Nigerian prince sending poorly worded emails promising you untold millions. Cyber attackers have amped up their approach to malicious emails, combining highly personalized approaches with expertly designed corporate email spoofs. These emails are known as ‘Whaling’ and are the close, more sinister cousin of ‘Spear Phishing’. They’re now a very real threat to Australian businesses.

If we’ve lost you with the nautical terms, let us explain the subtleties:

Phishing vs Spear Phishing
The granddaddy of email scams, Phishing emails are a wide-net approach to email-based attacks. Much like its recreational counterpart, ‘Phishing’ is the email equivalent of using bait to catch fish.

The bait in this case is the poorly worded email sent by the thousands to the unsuspecting public, and the fish are the unfortunate few who follow the instructions contained therein and wind-up giving out credit card details, passwords, or bypassing security protocols and catching a virus.

Spear-phishing is the next level within Phishing attacks, and is much the same in practice, however rather than a scatter gun approach, these are targeted towards specific groups – for example staff or clients of a specific company.

Both iterations of email scams exist to manipulate the recipient into disclosing confidential information, which can then be used at the attacker’s discretion. Sounds like an easily avoidable trap, right?  Well even security firms can fall victim to these, with multi-factor authentication company RSA being compromised in 2011 when a staff member opened an email attachment from a spear-phishing email and accidentally downloaded malware, resulting in a $46.7 million loss to the company. AND, HERE’S THE KICKER, the email was even marked as junk and isolated by the company’s filters. But how did they still fall for it? The subject line of the email was “2011 Recruitment Plan” – and that’s how it happens. It only takes one person to have a momentary lapse and think “Hmm, this could be legitimate. I’ll just click this.”

Spear Phishing vs Whaling
Whaling follows on from the idea of spear-phishing with the ideal outcome being the acquisition of sensitive information through deceptive emails, however the key difference is that the targets are even more carefully selected, they are often senior-level employees and the ideal outcome is one big steal – these are our “Whales”.

Why focus on the higher-ups within a business? Simple – the payoff is far higher should the outcome be successful. And it’s because of these high-value targets that attackers are willing to invest more time and effort into making these communications appear legitimate.

The anatomy of a whaling attack goes something like this…

An executive in an organisation is targeted with a message that convinces them to take an action or give up a vital piece of information – perhaps downloading a keylogger, bypassing the organisation’s controls over security or, if the attacker is really bold and ready to roll the dice on losing the opportunity, going straight for the user’s password.

If the attacker can gain access to the whale’s mailbox, they can silently observe the interactions between the executive and the rest of the team and determine if the executive has the ability to sign-off on invoices, and who issues those invoices.

If they do, the attacker just needs to wait for the right moment.

That moment is typically a moment of travel for the executive when he or she will be remote from the office.

The attacker creates a false invoice from a trusted entity using the exact format of the legitimate invoice and emails the accounts payable staff or financial controller, pretending to be the unavailable executive.  The accounts staff are instructed to make a payment quickly and advised to note the changed bank details and they are further advised that they can’t phone the executive because he or she is on a plane for X hours, or sleeping or otherwise unavailable.

The attacker uses a sense of urgency to pressure the accounts staff to make the transaction quickly.

A whaling attack is very much a hack against a human, rather than against a computer.  That’s why it’s so hard to prevent.

How to avoid a whaling attack
Despite the dramatic consequences, there are simple steps that companies can take to ensure that they don’t fall prey to a whaling attack. These include, but aren’t limited to:

  1. Educating staff with financial responsibility on best practice techniques. Teach them what these emails can look like, what they’ll request, and what potential red flags to be on the lookout for – mitigate the human error factor through education.
  2. Have private profiles on social media. Any information that is readily available can be used as part of a whaling attack – if you’re going to post about your next Ibiza vacation with the crew, be aware that people can and will use your movements to time their attack. Any and all personal information that’s readily available to the public is a potential jewel for a malicious actor.
  3. Utilise multi-factor authentication for email accounts – ramp-up security to cover all your bases. That way, even if a password is compromised, the attacker would also have to have the authenticating token to gain access to your email account.

While Whaling is an insidious cyber threat, it can be mitigated by combining the continuous education of staff with robust technical solutions. To discuss how to best protect your business, contact us here at Computer One Pty Ltd.