What’s The Difference Between Phishing, Spear Phishing & Whaling?
It is commonly known throughout the security community that users are the “weakest link in the chain” when it comes to a company’s network. This reason is why so many attackers first gain a foothold in a network through phishing attacks.
There are different types of phishing that threaten a company’s network: phishing, spear-phishing, and whaling. Phishing emails are broadly sent to numerous users with no thought as to who the recipient will be. Spear phishing emails, which target specific users, or a group of users, in an organization and are crafted specifically for that group. Whaling emails target, or attempt to impersonate, specific high-level executives within an organization and the emails are crafted specifically for the individual.
- What Is Phishing?
- What Is Spear Phishing?
- What Is Whaling?
- What Is The Best Defense Against Phishing Attacks?
What Is Phishing?
Phishing is a social engineering attack that attempts to trick people in to giving up personal or sensitive information. This is typically conducted via emails and are broadly sent to people with no thought behind who the recipient is.
Phishing emails come in all shapes and sizes and some have had serious consideration of how the email will be delivered, in terms of the look and feel of the email. As a cyber security expert, it is my job to think of the worst-case scenarios such as what to do when a user clicks on the link or opens the attachment.
Here are a few steps you can take if you find yourself falling victim to a phishing email:
- Contact your security team so they can ensure no other user falls victim and so they can block mail flow to that sender both inbound and outbound.
- Reset your password for the account that was compromised as well as all other accounts that you have used that password for.
- Ask IT to perform a full scan of your computer to ensure no malicious software was executed or installed.
Examples Of Phishing Attacks
In this example, the phishing email attempts to steal the credentials of a user. Once they have the account credentials, they can attempt to access more network resources such as the VPN, remote desktop services or even online email accounts.
Looking at the email below, you will find that the email is supposedly from Microsoft, however, the sender’s domain name is not Microsoft. This is one indication that this email is phishing. Secondly, hovering over the link of the email identified that the link does not actually take you to Microsoft. This is yet another indicator that the email is phishing.
Another common type of phishing that I see is phishing emails that attempt to threaten or scare the recipient. In the example below, the email attempts to blackmail the recipient into paying a sum of money to keep data they have “stolen” from the user from being released to the public. This scare tactic attempts to make the recipient feel embarrassed and violated which in turn may lead to the recipient paying the ransom.
What Is Spear Phishing?
Spear phishing is a type of phishing attack which targets specific users or groups of users such as a billing department or HR department. Emails sent to these users are typically well crafted and designed to fit the normal business correspondence the user may be used to seeing on a regular basis.
Examples Of Spear Phishing Attacks
In this example you see that the attacker has sent an email to a member of a payroll department in an attempt to change their direct deposit information. From what I have seen, these email typically come from poorly chosen email addresses that are easily identifiable.
This next example is slightly different than the first in that instead of trying to change someone’s direct deposit information they are trying to trick the recipient into purchasing gift cards. Again, this is typically targeted to a specific group of people that would have access to perform this request. In my experience, these emails most commonly target executive assistants.
What Is Whaling?
Whaling is a form of phishing that targets high-level executives such as the CEO or CFO of a company, or attempts to impersonate them. Like spear phishing, these emails are specially crafted for the intended recipient. When these emails are specially crafted they become harder and harder to identify.
One common example I have seen involve a CEO being spoofed in an attempt to trick someone in the finance department to make a payment to a “vendor”.
A recent upswing of whaling attacks have been identified in the shipping industry. These attacks have been noted to attempt to spread malware and transfer payments to suspicious accounts. The emails that have been collected so far show the attackers are attempting to make the email look as if it is an internal email by changing the letter “I” to a number “1”.
Example Of A Whaling Attack
In 2016, Snapchat fell victim to a whaling attack and released the following statement:
“It’s with real remorse–and embarrassment–that one of our employees fell for a phishing scam and revealed some payroll information about our employees.”
The email was sent to a Snapchat employee and had appeared to come from the CEO. The attacker had requested payroll information, and since payroll was part of their duty and the “CEO” was asking for it, the employee handed over the information. Shortly after the incident, the attacker released the payroll information.
What Is The Best Defense Against Phishing Attacks?
With users being the weakest link the chain, end-user training is one of the most effective ways to defend against phishing attacks. There are many ways to train users but some of the most effective I have seen revolve around annual and remedial training courses as well as simulating phishing attempts.
Security Awareness Training
Annual security awareness training is a great way to refresh users on current trends and new methods taken by attackers. However, training should not stop there. Simulated phishing attacks performed by either your company or a third-party company is an excellent way to test your users and validate the effectiveness of your training.
In the event a user fails a phishing test, or even falls victim to a phishing attack, remedial training should be used to train the user in the areas they were found to be deficient.
A few other things you can add to your security awareness training program are:
- A button, available in your end-users mail client, that can report an email as suspicious has proven to increase reporting of suspicious email and thus increase the detection rate of phishing attacks,
- If you are using a simulated phishing approach, track metrics so you can measure the effectiveness of your training and can adjust accordingly,
Other things that can be done to defend against phishing attacks include:
- Encourage your executives to make their social media platforms private in an attempt to prevent whaling attacks.
- Use mail filtering technologies that can proactively block known malicious senders and spam mail while also providing the ability to blacklist known malicious senders.
- Use multi-factor authentication for access into any service that allows entry into your network externally (VPN, Remote Desktop, Outlook).
- Vulnerability Scans VS Penetration Tests: What’s The Main Difference?
- Intrusion Detection (IDS) VS Intrusion Prevention (IPS): What’s The Difference?
- How To Perform A Successful Network Vulnerability Assessment
- What Is A Red Team VS A Blue Team In Cyber Security?
- How Often Should You Perform A Penetration Test?