Phishing — or sending emails intended to trick recipients into letting bad things happen — is a constant threat to businesses. It's especially dangerous when it takes the form of spearphishing or whaling. A whaling attack aimed at us here at Abusix reminded us of how insidious it can be, and we'd like to pass the reminder on to you.
The effects of whaling
Spearphishing and whaling are both targeted forms of phishing. Whaling is more specific. The whaler is going after the biggest catch, usually a C-suite officer. It has a big impact when it succeeds, since top executives have broad authority.
One common form of whaling impersonates a trusted person in a company and asks the target to authorize the transfer of a large sum of money. It stresses that the transaction has to go through quickly. The executive, who is already dealing with a lot of issues, may approve it without a second thought. A wire transfer sends a large sum to a bank in a foreign country, the money quickly vanishes from the account, and there's no way to get it back.
Other whaling email messages aim at getting trade secrets or research data. One way is to acquire the password to an archive. Another is to convince the victim to "resend" a memo. Another goal, or a beneficial side effect, could be to collect more information on other executives. That will make the next whaling campaign even more convincing.
Types of phishing
An ordinary phishing email message isn't tailored to an individual. It's sent out widely as spam in the hope of catching some people. If it reaches enough mailboxes, some recipients will be naive or caught off-guard. These messages are designed to create a sense of urgency and threaten unpleasant consequences. For example, it might say, "If you do not give us the necessary information within 24 hours, your bank account will be frozen until you pay a reactivation fee."
These messages may try to get the target to open a dangerous attachment or download malware. They could also aim at acquiring personal information, such as passwords, governmental identification numbers, and credit card numbers. The goal is to collect enough information to impersonate victims and get control of their assets.
Another tactic is that the message may contain a link to a lookalike page for an online banking account, PayPal, or other financial management pages. If the victim doesn't look at the address bar closely, it can be hard to tell the fake page from the real site. The victim enters a password, which the fake page submits to the real site after grabbing a copy. The login works, so it isn't obvious that anything went wrong.
Spearphishing and whaling
The perpetrator of a targeted phishing scheme puts in a greater effort in the hope of a bigger return. Preparation involves gathering as much information as possible on the target. Anyone in a position of responsibility might be targeted. This includes not only top-level officers but also account managers, IT administrators, and anyone else who controls important assets.
In today's world of social media, people give away a lot of personal information about themselves. A little research can find someone's nickname, family members, friends, home address, make of car, and favorite restaurant. Sprinkling some of these details into a message makes it look a lot more convincing.
A whaling message may appear to come from a government agency, a financial institution, or a trusted colleague. It might accuse the recipient of professional misconduct and require an action to "clear the matter up." Some people will be reluctant to verify the claim because of potential embarrassment.
LinkedIn and Facebook are two of the most popular ways to build up a personal profile on a high-profile victim. Local directories and news stories add to the available details. Acquiring and using confidential information can make the message even more frightening, with details like, "...your credit card number ending in 1234."
Whaling messages often aren't caught by spam filters. Ordinary phishing emails are sent in bulk, but each whaling email is unique and doesn't match a pattern. Because it's more likely to reach an inbox and its content is more plausible, a whaling message has a greater chance of fooling the recipient.
Even experts in computer and network security can fall for spearphishing messages. A 2017 phishing campaign targeted security specialists who were interested in a Washington, D.C. conference. The message attachment was a Microsoft Word document with an embedded malicious VBA script.
How to stay safe
Protection from phishing requires a multifaceted approach. Anyone who receives email needs to think twice about clicking on links or opening attachments in any message, even if it appears to come from a trusted sender. Everyone makes mistakes, though, and some messages are fiendishly clever. A thorough set of precautions will make it harder for phishers to succeed. Potential precautions include the following steps:
- Use a private email address for internal messages. Don't let it be known to anyone except the most important correspondents.
- Have anti-malware software installed on computers that receive email, and keep it up to date.
- Be especially wary of any message that asks the recipient to download software or take unusual steps to open a document. It's almost never necessary to install a new application or browser add-on to conduct business communication.
- Use DMARC records to authenticate email sent from trusted locations. This won't prevent spoofed messages from being sent, but it will help filters to identify them.
- Use two-factor authentication for important accounts. Stealing a password by itself won't give a phisher access to accounts which are protected that way. Victims who think they've let their password be compromised will have time to change it.
- If an email message requests an unusual action, such as a wire transfer to an unfamiliar bank account, use out-of-band communication such as a phone call to confirm the request.
- Make sure browsers and other software are up to date. Having the latest browser makes it less vulnerable to malicious pages and attachments.
Abusix Mail Intelligence will help to keep dangerous email out of your inbox. Get in touch with us to learn how we can protect you against phishing, whaling, and other security threats.