Phishing, Spear-Phishing and Whaling – same same but different. Here’s how…

Gone are the days of the benign Nigerian prince sending poorly worded emails that promise recipients untold millions just ripe for the taking … or so we thought.

Decades after swindling countless victims around the world, the Nigerian Prince variant of phishing emails continue to lure the unwary. In fact, the classic bait-and-hook scam still reels in an annual catch worth more than US$700,000 (from the hapless sea of humanity in the US alone). And even when several “Nigerian princes” have already been dethroned (i.e., arrested), the ancient con will persist – albeit in newer digital guises and featuring new generations of ‘royalty’ – simply because it can bypass the most sophisticated cybersecurity measures by just targeting the system’s weakest link: human vulnerabilities.

Equipped with new tools, cyber criminals have amped up their approach to malicious phishing emails, combining highly personalised tactics with expertly designed corporate email spoofs. Two of these upgraded phishing techniques are ‘Spear Phishing’ and ‘Whaling’.

They’re now a very real threat to Australian businesses. Even when much of its land mass is either desert or dry, the land down under has been a rich fishing ground for email scammers, some of whom actually live inside its borders. In 2021, Australians lost a record A$323.7 million to different types of scams, with the number of reported phishing attempts rising year-over-year by 61%.

Worldwide, the tide is similarly rising. Phishing gangs were more active and more successful in 2021 than the prior year, with wide-net (i.e., bulk) phishing attacks increasing by 12% and reported phishing success rates gaining by more than 45%. For the unfortunate fish who fell for the con hook, line, and sinker, the story often ends with serious financial losses.

If we’ve lost you with the numbers and the nautical terms, let us explain the subtleties:

What is Phishing?

Phishing is a common form of cybercrime that uses deceptive techniques to acquire a target’s sensitive information such as account passwords and financial data. While most phishing attacks are orchestrated to steal money from individuals, phishing has also been used extensively as a crucial step in more sophisticated cybercrimes such as corporate data breaches, ransomware attacks, and even state-sanctioned espionage.

The threat actor in phishing – often disguised as a legitimate institution or individual – may use different communication channels such as email, SMS text messaging, or telephone to pull off the crime. Much like its recreational counterpart and etymological root, ‘phishing’ is the digital equivalent of using bait to catch fish. The ‘bait’ is a contrived scenario that exploits human vulnerabilities such as empathy, altruism, greed, fear, curiosity, shame, and sense of urgency. Such false scenarios include a kindly Nigerian prince in dire circumstances offering a million dollars as a reward for your immediate assistance; a credit card company telling you that your card has been used without your permission; or your ‘boss’ asking you to transfer funds to a bank account immediately, or else. 

The granddaddy of digital scams, phishing encompasses many subsets such as Smishing (SMS-based), Vishing (phone or voice-based), Spear Phishing, and Whaling. As used in the field of email scams, however, ‘phishing’ often refers to a generic, ‘wide-net approach’ to duping just about anyone willing or distracted enough to take the bait. 

In the case of the infamous Nigerian prince scam, the bait is the emotional but poorly worded email that promises a huge monetary reward, sent indiscriminately to thousands of unsuspecting recipients. Meanwhile, the fish are the unfortunate few who – driven by varying degrees of curiosity, altruism, or avarice – follow the instructions contained in the email, only to end up giving credit card details, passwords, and other sensitive information after clicking a malicious link that leads to a spoofed web page.  

What is Spear Phishing?

Spear phishing, as the term suggests, refers to a phishing method that deliberately targets specific types of users. While phishing often connotes images of a pole with a line and a hook that might catch anything below the waterline, it can also refer to the use of a wide net that indiscriminately victimises anything with an email address, social media account, or mobile phone number. In contrast, spear phishing chooses its target more intentionally, taking the generic crime of phishing to the next, more refined level.

In spear phishing, the threat actors limit their attacks on specific individuals or group of individuals such as a particular company’s staff, specified department, or customers. To improve the credibility of the bait, cybercriminals ensure that the language, tone, source, and rationale/call-to-action of the phishing message are tailored to catch the attention of or be highly relevant to the specific group of targeted recipients.

For example, a spear phishing email that targets a company’s finance department would have messaging that includes references to common financial processes; uses jargon/terminology that is known to finance practitioners and staff; and be purportedly coming from a source that regularly engages the department – such as suppliers, enterprise application vendors, customers demanding refunds, tax auditors, and procurement specialists.

Spear phishing can also focus on a specific individual, with the threat actor tailoring the message to speak directly to you by citing information only your peers, friends, contacts, and acquaintances would know. Threat actors often acquire such information from both publicly available data (such as those from your social media pages) as well as from hacked data sources. 

What is Whaling?

Whaling takes the concept of spear phishing even deeper by targeting a narrower set of individuals: C-level executives with super user access to many of their organisation’s systems, as well as the authority to make major decisions and financial transactions. Considered the heavyweights in a company’s hierarchy or organisational chart, these are the “whales” being hunted by cybercriminals – largely for the purpose of extracting their powerful user credentials or other sensitive information.

In many cases, such stolen information (i.e., identity theft) is used to impersonate the compromised executive and leverage their authority in accessing sensitive corporate data (such as trade secrets and banking information); or in initiating large fund transfers to the accounts of cyber criminals. When threat actors use the executive’s email to deceive contacts into performing malicious acts, whaling transitions into the more calibrated cybercrime of Business Email Compromise (BEC). When the targeted executive is the CEO, the cybercrime is also called CEO Fraud.

Why focus on the higher-ups within a business? Simple. Compared to catching smaller fish, the payoff for whales is much bigger should the attempt succeed. Hence, threat actors invest more time and effort in refining their tactics and making their communications appear very legitimate, given that most of these heavyweights are assumed to be smart, discerning, or well educated. 

The typical process of a whaling attack goes something like this:

1. Cybercriminals target a senior executive with a finely spoofed message that convinces the ‘whale’ to take a specific action or disclose a vital piece of information. Possible actions include unwittingly downloading a malicious keylogger (a spyware program that captures the sensitive information you type); or bypassing organisational security controls to access sensitive data. Threat actors might also persuade the executive to visit a fake website whose data fields can capture the whale’s access credentials to the corporate email service, a financial app, or a credit card account used by the company.
2. If the attackers can gain access to the whale’s mailbox, they can silently observe the interactions between the executive and the rest of the team. They can then determine whether the executive has the ability to sign-off on invoices and who issues those invoices.
3. Once all the relevant details are known, the attackers just need to wait for the right moment to detonate a BEC bomb. Such moments include periods of travel, vacation, or remote work for the executive when the office will have very limited access to him or her.
4. The threat actors create a false invoice from a trusted entity using the exact format of the legitimate invoice. They then send an email to the accounts payable staff or financial comptroller, pretending to be the unavailable executive. The accounts payable staff are instructed to make a payment quickly, reminded to note the changed bank details, and advised that the executive can’t be accessed via phone because he or she is on a plane for several hours, sleeping, or otherwise unavailable.
5. The attacker uses a sense of urgency to pressure the accounts staff to make the transaction quickly.
6. The accounts staff, reasonably assessing that the email appears legitimate, proceed with the transaction.
7. The traumatised whale will spend the rest of his or her life regretting the biggest mistake they ever made. Fact: C-level executives have been fired for being a vulnerable whale. (If that can happen to heavyweights, how do you think would it go for smaller fish?)

Notable cases of phishing

All iterations of phishing aim to manipulate human targets into disclosing confidential information, which can then be used at the attacker’s discretion.

Sounds like an easily avoidable trap, right?  

NO.

If it were, billions of dollars lost to cybercrime that exploit the human vector (through phishing, stolen credentials, insider threats, and social engineering techniques) would have been saved per year.

But none of that is happening. Instead, cybercrime costs the world trillions of dollars in financial theft, ransom, and damages. Underlying that statistic is the fact that the vast majority (82%) of data breaches rely on human vulnerabilities to succeed. Phishing, in particular, is the most common and effective technique cybercriminals use to breach an organisation’s IT network and further orchestrate even worse attacks such as ransomware, BEC, and wiper malware.

Here are some mind-opening cases that will make you take phishing seriously:

A. CEO Fraud: Aerospace firm FACC fires two whales after losing US$55.7 million

FACC, an Austrian maker of aircraft parts sacked its CEO just a few weeks after firing the CFO as a result of a BEC scam in 2016. The company lost around $55.7 million when a phisher pretending to be the chief executive instructed an accounting staff to transfer said amount to a bank account to finance an “acquisition project.” FACC also filed an US$11 million suit against its former CEO and CFO for failing to perform due diligence, but Austrian courts dismissed the lawsuit.

B. RSA Data Breach: Even cybersecurity companies can be hooked

Veteran IT security firms – with all their sophisticated defences – might still fail to block a phishing attack. Multi-factor authentication company RSA was breached by hackers in 2011 when a staff member opened an attachment from a spear phishing email and accidentally downloaded malware, resulting to a $46.7 million loss to the company.

AND, HERE’S THE KICKER: the email was even marked as junk and isolated by the company’s filters. But how did they still fall for it? The subject line of the email was “2011 Recruitment Plan” – and that’s how it happens. It only takes one person to have a momentary lapse and think “Hmm, this could be legitimate. I’ll just click this.”

C. Ransomware vs. Ireland’s Public Healthcare System: It all starts with a little phishing

A Conti ransomware attack shut down the online services of the Irish Health Service Executive (HSE) for several weeks in 2021, disrupting critical patient services during a COVID pandemic and costing the country more than US$100 million to recover.

The ransomware infection that spread across the entire network originated from a single workstation whose user clicked on a malicious file attached in a phishing email. The attached file appeared to be an Excel spreadsheet but actually carried a payload that enabled the attacker to gain unauthorised access to HSE’s environment by compromising and abusing a significant number of highly privileged (i.e., system administrator) accounts.

D. Colonial Pipeline Hack: Phishers ditch water to try their luck in oil

Spanning more than 8,800 km, the Colonial Pipeline is the largest pipeline system for refined oil products in the U.S., providing nearly half of the oil supply in the East Coast. In May 2021, the pipeline was attacked by the DarkSide ransomware gang who were able to breach the company’s business network and billing system, stealing at least 100 GB of data.

In response, management shut down operations for five days, which resulted to a temporary fuel shortage (a deficit of around 20 billion gallons) and artificially hiked oil prices that affected millions of Americans. The attack was deemed a national security threat, prompting US President Biden to declare a state of emergency.

To stem further damage, Colonial Pipeline agreed to pay the cybercriminals US$4.4 million in ransom. That’s just the tip of the iceberg, unfortunately. In addition to the ransom amount, Colonial Pipeline also incurred tens of millions of dollars in recovery costs. Meanwhile, actual damage to the economy is incalculable.

HOW DID THIS HAPPEN? Many IT security analysts believed the attack started with a phishing email but other experts only attribute the breach to a compromised VPN account without specifying how the username and password were acquired.

E. BECs and Banks Don’t Mix: Scammers duped Belgian lender Crelan into parting ways with US$75.8 million

You can never shortchange a bank – unless you’re a phishing expert. In 2016, Brussels-based bank Crelan was covertly attacked by cybercriminals who gained unauthorised access to the CEO’s email account.

Following the typical playbook used in Business Email Compromise (BEC) and whaling, the fraudsters – reportedly operating from another country – used the compromised email to impersonate the chief executive and instruct an employee to wire-transfer the US$75.8 million in loot money to an undisclosed account. Apparently, the deed was done so stealthily that Crelan hardly budged, discovering the swindle only after an internal audit. 

F. Facebook and Google: ‘Fake it until you make it’ is a scam

The bigger they are, the harder they punch back. Such is the lesson Lithuanian scammer Evaldas Rimasauskas learned after using fake email accounts to impersonate a major hardware vendor and dupe tech titans Google and Facebook into paying more than US$120 million worth of fraudulent invoices.

The extended email phishing operation – which run between 2013 and 2015 – convinced finance officers at Google and Facebook that the forged communications, contracts, invoices, and letters they receive come from Quanta, an electronic hardware manufacturer based in Taiwan that serves Apple, Facebook, Amazon, Google, and other tech companies.

Following discovery of the scam, Google and Facebook flexed their muscles to make the fraudsters pay. Before long, Rimasauskas was extradited to the US, compelled to return around US$49.7 million in fleeced money, and penalised with a five-year prison term.  

G. Phishers to Sony Pictures: Greetings from North Korea

In 2014, a cybercrime group breached the IT network of Sony Pictures, leaking 100 terabytes of confidential data that included personal information of employees, copies of yet to be released films, movie scripts, executive salaries, plans for future projects, correspondences, and other information. Believed to be sponsored by North Korea, the “Guardians of Peace” hacking group then unleashed a variant of the Shamoon wiper malware to permanently destroy Sony’s corporate data.

That’s just the appetiser. The main course is even more bizarre. The attackers demanded that Sony withdraw a comedy film that featured a plot to kill North Korean Supreme Leader Kim Jong-un, threatening to conduct terror attacks at cinemas that show it. Many US theatres decided not to screen the comedy, prompting Sony to cancel the film’s formal premiere and mainstream release, opting instead for a downloadable digital release to be capped the following day by a limited theatrical release. The damage wrought by the data breach has been estimated by some experts to reach as much as US$100 million.

HOW DID THE STATE-SPONSORED CRIMINAL GANG TAKE HOLD OF THOSE TONS OF DATA?

PURE PLAIN PHISHING OF COURSE.

According to digital forensic analysts, the hacking group cast their nets and dangled their baits several months before the data leak, via phishing emails (purportedly from Apple) that reached many top Sony executives including its CEO. Said phishing emails told recipients to provide ID verification emails and redirected them to a fake website that captured their login credentials. Some presumably complied. 

How to avoid phishing, spear phishing, and whaling attacks

Phishing attacks – in all their forms – are hacks against humans, not computers. That is why it’s so hard to prevent, with humans being the weakest and most unpredictable link in any IT system. Still, there are simple steps that companies can take to ensure that they don’t become victims (only difficult targets) of phishing attacks. These include, but aren’t limited to:

1. Mitigate human vulnerabilities through education, training, and standardised processes. Implement best practices in your accounting, procurement, and finance units. Train staff (especially those with financial responsibilities) in IT security awareness. Teach all staff what these phishing emails can look like, what they’ll request, and what potential red flags to look out for (such as faked email addresses, spoofed websites and suspicious URL structures).
2. Guard your social media presence. For cybersecurity reasons, having private profiles is preferable to letting anyone with an internet connection know what you’re having for lunch and who you’re dining with. That’s because any information that is publicly available can be used as part of a whaling attack. If you’re going to post about your next Maldives vacation with the crew, be aware that people can and will use your movements to time their attack. Any and all personal information that’s readily available to the public is a potential jewel for a malicious actor.
3. Use multi-factor authentication for email accounts. Ramp up security to cover all your bases. That way, even if a password is compromised, the attacker would still need the authenticating token to gain access to your email account.

Conclusion

Even at a time when advanced AI and machine learning drive much of the tactics and countermeasures on both sides of cyber security, the human element remains the key battleground where the stakes are at their highest. And no other tool can manipulate human behaviour as well as those that exploit human vulnerabilities.

The new generation of phishers are much more sophisticated than the old Nigerian prince. They know your language better and what motivates you to action. Adept in the art of social engineering, they also know exactly which bait to use to lure different types of people into a digital trap.

In Australia, the fallout from phishing and scams are on the rise, with some threat actors exploiting people’s desire for financial gain and romance, while others infecting the payment gateways between businesses. For cyber criminals, anything is on the table and anyone can be a target: including former scam victims who are still reeling from financial and emotional stress.

Don’t take the bait! Train your company to smell anything phishy from a mile away. Contact your managed security provider or Security as a Service (SECaaS) vendor to plan how you can best protect your business.

The final word:

While phishing has become better at convincing targets and evading detection, it still operates on a very simple premise: human behaviour can be manipulated by using the right incentive, motivation, or threat.

Because it exploits the weakest link in any information system, phishing will persist as a serious threat to your business. In fact, Business Email Compromise (BEC) was the most damaging phishing scam for Australian businesses in 2021, according to official statements.

Fortunately, the impact and success rate of phishing can be mitigated by combining regular awareness training with robust technical solutions.