Big Phish, Little Phish
Using phishing simulation, Proofpoint, a US security company, found in their 2019 report that attackers are continuing to focus on people, rather than on trying to defeat technical defences.
An interesting observation in this report is around the awareness and understanding of different age groups. Whilst the ‘millennial’ generation (as ‘digital natives’) have been raised on smart devices, a heightened level of user skill doesn’t mean a good understanding of cyber security.
When asked to answer the question “what is phishing?” 47% of responders in the 18-21 age bracket provided a correct answer, while 58% did in the 22-37 age group, 68% were correct in the 38-53 age group, and 73% in the 54 and above age group.
What is Spear Phishing?
Spear phishing is a phishing attack that is directed at a specific individual or organisation.
The definition of phishing includes the principle that the attack is based on a mass distribution of emails or messages. Users are not targeted individually, and there may be thousands of recipients.
Spear phishing, however, is a targeted attack. The attacker spends more time crafting the email, usually adding details that personalise it in some way (e.g. an attacker that knows, from public information, the place you work and a number of your colleagues, can create a spear phishing attack that uses these details to make it appear more legitimate).
As the distribution of a spear phishing attack is more targeted, it tends to be the case that the request is also specific. A common spear phishing attack requests that an employee performs a payment or transfer of funds of some type, by posing as a senior employee within the organisation.
Even tech companies can be victims of spear phishing, as Snapchat found in 2016 when an email claiming to be from the CEO was sent to HR, who then proceeded to provide the information requested.
What is Whaling?
Whaling is a spear phishing attack that is directed at a senior person within an organisation, like the CEO, Headteacher or governor.
Like spear phishing, whaling is usually a targeted attack, and the attacker typically spends more time preparing the attack than with a generic phishing attack. For this reason, whaling attacks can be difficult to spot.
Also called ‘CEO Fraud’, in 2017 the FBI stated there had been a 1,300% increase in this attack type since January 2015. Troublingly, as these attacks often involve an employee authorising a transaction using their real systems, it is usually not recoverable through the bank once the funds have been transferred, and the use offshore laundering and/or ‘money mules’ can make it difficult to trace, even for law enforcement agencies.
The best protection from a whaling attack, therefore, is vigilance: wherever possible, verify the authenticity of a request by actually speaking to the person.
