All at Sea - Phishing, Spear-Phishing and Whaling
Phishing is an extremely common cyber-fraud tactic – there were over a quarter of a million phishing scams reported to Action Fraud between April 2018 and March 2019. You may have received an email from someone claiming to be a “Nigerian Prince” asking for help with their cash-flow, or a text message from “HMRC” offering you a refund – all you need to do is click on a link! These are both phishing scams, which target thousands of people at once.
As the name implies, spear-phishing is much more targeted – the fraudster will have a particular target in mind. A spear-phisher will do their research first, and disguise themselves as a trusted contact. They will tailor their communication with you to appear genuine - they will address you by your name and use either a hacked email account, or a fake email address with one minor change that they hope you don’t notice – replacing .co.uk with .co-uk, for example.
Whaling is a further evolution along this theme. In a whaling attack, the fraudster specifically targets a senior executive or director. Details of Chief Executives and Directors are fairly easy to find via Google. They make particularly attractive targets due to their level of authority – if they forward a fraudsters email to their staff, it may be assumed that the contents are genuine and/or approved.
In each case, the fraudster aims to trick recipients into handing over bank details, clicking on compromised links, or sharing sensitive personal information.
Common tactics used to increase the effectiveness of a Spear Phishing or Whaling attack include implying a sense of urgency, impersonating a senior level employee, or “click baiting” (e.g. trying to goad you into clicking something by making it sound really juicy, such as “Breaking News from HR – Your Pay Rise. Click here to read more…”)
How to Avoid Phishers
- Think before you click – pay close attention to the sender’s details – they may have only altered one character to make their fake email address. Remember, your bank will NEVER text you a link to log in to your online banking. If in any doubt do not click on any links or reply to the email/text.
- Verify the communication is genuine without replying – use an established contact method to check that the message has come from a legitimate source. For banks, your bank card should have the customer helpline number on the back.
- Check with a colleague – don’t be afraid to flag things up and get a second opinion. You can speak to IT for advice if you’re not sure about something you’ve been sent.
- Don’t panic if you do click and then become suspicious. If you’re at work, contact IT immediately to alert them. If you’re concerned about a message you receive in your personal life, contact Action Fraud (and your bank if you think your bank account has been targeted)
More guidance for organisations can be found on the Centre for the Protection of National Infrastructure website here: https://www.cpni.gov.uk/dont-take-bait