What is Phishing? Threat Types, Scams, Attacks & Prevention

Phishing Definition (Computer)

When someone Google’s what is phishing – the general answer they get, more or less defines Phishing as a type of cybercrime in which criminals use email, mobile, or social channels to send out communications that are designed to steal sensitive information such as personal details, bank account information, credit card details etc.

This information is then used for a variety of purposes ranging from identity theft, fraudulently obtaining funds, crippling down computer systems through to securing trade secrets or even sensitive information pertaining to national security.

 

How Does Phishing Work?

Almost all types of phishing attacks can be broadly divided into two categories –

 

Tricking Users

This involves directly tricking the user to pass on sensitive information via spoof sites. This method creates compelling communication messages that entice the user into visiting third-party, data harvesting sites.

 

Installing Malware

With this the attacker, gets the user to install malware by when a call-to-action is clicked in a communication. In the method, the fraudster entices the user to click on a download link that in turn installs malware.

 

While there is no fool-proof method on how to prevent phishing, common approaches include user education that is designed to spread phishing awareness, installing anti phishing tools and programs and introducing a number of other phishing security measures that are aimed at proactive identification of phishing attacks while providing mitigation techniques for successful attacks.

 

How To Spot A Phishing Email

A 2017 study from Keepnet Labs showed that in 2017, a staggering 48.2 percent of phishing messages were actually opened by the target. Clearly, users need to know how to spot phishing emails early before they cause any harm to your system. Prevention is better than cure, as the old adage goes.

So how can you spot a phishing email? As mentioned previously, this requires a generous application of common sense and caution, and a solid awareness about come phishing patterns. Here are some common phishing awareness tips on how to spot a phishing email 

Poor grammar, punctuation and just plain tacky language

Professional email marketers take great pains to create email copy that is proof-read and confirms to rigorous branding and messaging guidelines. Emails that contain poor grammar, punctuation or show an illogical flow of content are most likely fraudulent.

Emails soliciting personal information

Established brands never ask you sensitive information via email. Messages containing a brand’s actual logo, address etc. but which also ask you to click on links to change password or enter card details are almost certainly phishing mails.

Alarming content

Hackers can send messages that cause alarm by telling you things like one of your accounts has been hacked, your account is expiring, and that you may lose some critical benefits immediately, or some other extreme condition that puts you in panic. The content is prominently decorated with exclamations etc. to trick you into clicking links and then ask you to login before you can proceed.

Urgent deadlines

Another common phishing technique is to send messages about a pending deadline. A hacker could send you a renewal email about an expiring insurance policy, track your online activity and send a message about a limited validity discount on some deal that might have browsed, or something similar. Typically, such emails ask you to complete an action immediately or lose substantial benefits.

Unrealistic financial rewards

Winning a lottery when you never purchase one, getting a large cash discount on something you never purchased, large prize money in a content that you never enrolled for and so on. Phishing artists typically use such messages to take you to a site and then verify your bank details to receive the money. Which of course never arrives but you may well find chasing your bank for reversing unauthorized transactions.

Mismatched URLs

An attacker may send you an email with a signature claiming to be from a legitimate brand. However, the text may contain shortened links which actually redirect you to a completely different site in an attempt to capture sensitive information. Always hover over any links in an email and compare the domain in link target to any signatures that you might see.

Mis-matched domain name

An email sender address has a domain ending in microsoft.acme.com or asks you to click a link which takes you to a page on this domain to make a purchase. Clearly, this domain is not the same as Microsoft.com and there is good chance that this email is malicious.

Obviously, these patterns are by no means all inclusive and creative hackers are constantly investing in clever techniques to trump you. Effectively learning how to recognize phishing emails will require a similar commitment from your side.

 

Malware and Ransomware

Phishing emails are often used as the delivery method of choice for malicious software, or malware. Such malware can include a variety of hostile or intrusive software including –

 

Spyware

Software that can collect and transmit important information such as bank account details, online banking passwords/usernames, credit card information or other sensitive personal information such as social security number.

 

Computer virus

If installed, a virus can cause near destruction of the host computer. It can corrupt sensitive operating system files, infect boot sectors, delete files of certain extensions, and even spread across the network when an infected file is accessed on a different computer.

 

Worms

Computer viruses need a host file to work. They are only activated when a host file infected with the virus is accessed and only spread when the host file is moved around on a network. Worms on the other hand do not require a host and can create self-replicating copies that can spread around on a network without human intervention.

 

Ransomware

This is a special type of malware that encrypts and locks out key local system files and where the attackers then demand a ransom in order to revert the system to original state.

While these are some of the prominent ones, other malware that can be easily installed via phishing emails include trojans, bots, keyloggers, and rootkits.   

 

Protection from Phishing

Phishing protection refers to a set of techniques including best practices and tools that are collectively used to stop phishing attacks and mitigate the effects of ones that do manage to bypass existing prevention mechanisms.  More specifically, these techniques include

 

Comprehensive user education

This involves providing users with adequate education around perils of phishing, how to spot suspect communications and what to do once an attack has been identified.

 

Best practices

This includes a set of online security best practices such as not using public networks for sensitive communications, regularly changing passwords, not sharing sensitive data using emails and so on. Most companies provide employees with extensive guidelines on such best practices and make concerted efforts to ensure compliance.

 

Software tools

This involves use of specialized software that can identify potential scams, and also mitigate the effect of successful penetrations. The range of tools available is truly diverse including capabilities such as preventing zero-day, identifying whale/spear phishing, and protection against weaponized attachments. Some products specialize in on-premise deployments while others are purpose-built for cloud-based communications.

A successful anti-phishing program would typically involve combining all the techniques above after customizing to specific business context, rather than rely on using any single strategy.

 

How To Prevent Phishing

Phishing prevention is rarely a single course of action and is best implemented using a combination of common sense and certain specialized software. Some common best-practices that should be used regardless of presence of any specialized phishing protection software include –

 

Avoid using open, public networks

Data sent over public networks is often not encrypted and this provides opportunities for hackers to sniff out important information such as account username and passwords, your purchase transactions, saved passwords, and other browsing activities. Of course, it is entirely possible for rogue hackers to setup completely free hotspots and lure you into parting with sensitive information even without sophisticated data sniffing technologies.  An alternative to using public networks is to use your mobile’s tethering and hotspot capabilities to work with its 3G/4G data connection.

 

Avoid clicking on unknown shortened links

Shortened links do not show a website’s real name and hence, users are more tempted to click on them. Hackers can easily trick you into clicking on shortened links that redirect to fake lookalike sites and capture sensitive information. Always place your cursor on the link to see target location before clicking on it.

 

Verify a site’s security

SSL technology ensures safe, encrypted transmission of data over the internet and where the recipient is who it claims to be. Do not give out sensitive information (passwords, credit card details, security question answers etc.) on sites that do not have a valid SSL certificate installed (a lock appears on domain name in browser toolbar when an SSL certificate is active)

 

Never enter personal information in pop-ups

Using Iframe technology, popups can easily capture personal information and send to a different domain to the one showing up in browser toolbar. Reputed, established sites rarely ask to enter sensitive information in popups and as a rule of thumb, no personal information should be entered in popups even if they appear on domains with valid SSL and have passed all other phishing checks.

 

Watch out for obviously suspicious emails

Most of us have at some point or the other seen random emails about topics such as news about lottery wins, free downloads of software or other digital products, pending collections of expensive items, urgent deadlines, donations to charities and so on. These typically originate from completely random, unknown sources and are too good to be true. In general, put in extra scrutiny on emails that offer unrealistic rewards or threats and in an abnormal language (too many exclamations, bold letters, underlines etc.)

But of course, even with the most precautionary approach to prevent phishing, it is still possible to fall victim to a sophisticated phishing attack. To further strengthen email security, users should consider installing additional phishing protection software that is purpose-built to sniff out phishing attacks. These include –

 

Anti-phishing toolbars

Anti-phishing tools maintain a constantly updated database of known phishing domains. Every time you try to navigate to a registered domain, the tool shows a warning about potential security threat. Windows Defender Browser Protection, Avira Browser Safety, Bitdefender Trafficlight, Avast Online Security are all examples of anti-phishing tools in this category.  

 

Anti-spam software

While spam and phishing are entirely different malpractices, chances are that if a sender is present in a phishing database, it will also be much more likely to be marked spam. Anti-spam tools use advanced analytics techniques to evaluate an email against a known set of spam characteristics and will likely result in stopping the phishing mails reaching your inbox in the first place. Popular tools in this category include ZeroBounce, SpamTitan, and Email Security.Cloud.

 

Anti-virus software

Anti-virus tools prevent your computer from becoming host to malicious virus that may expose sensitive information on your computer. Take the case of DNS pharming attacks for example. A hacker could install a virus that manipulates your local DNS settings which redirect you to a malicious site for a given domain. Similarly, Trojan-IM programs can steal any account/password information that you might exchange using common messaging tools. Using a good anti-virus tool will prevent these programs from being installed on your local computer and thereby provide more sophisticated phishing defense.

 

Firewalls

These provide a highly cost-effective solution to implementing phishing prevention and are especially useful in corporate environments. Rather than install software on each computer of a network, Firewalls can be used to detect and neutralize phishing emails even before they get to an internal computer. For example, a Unified Threat Management capable Firewall could easily prevent phishing emails from reaching internal machines.

 

Targeted threat protection technology

Targeted threat protection technology ensures that not only are the links in emails clean, but so are any attachments that they may contain.

For cleaning up the URLs, the technology opens up an email link in a sandbox environment and checks to spot symptoms of phishing. If these are absent, the user is redirected to the link. This is done in real-time when a user clicks on the email link rather than on all incoming emails and thereby does not degrade user experience when users try to access their inbox.

To protect against malicious attachments, the technology typically prevents executable files from being downloaded onto the computer. For other files such as word documents, or image files, the target gets to first see a pdf version of the original file. The target can request the original file, and at which point, the software runs a security scan on the original attachment and if successful, the file is delivered to the target.

Behind the scenes, the software constantly observes and learns to spot the various phishing patterns that help it in flagging spoof emails.

 

Types of Phishing Emails and Scams

Phishing scams come in all shapes and form, and there are many types of phishing emails and scams online.  The variations out there are truly staggering and committed hackers often make a living out of constantly innovating to deceive. However, all phishing scams have some common characteristics and can be broadly classified based on target audience, delivery channel and exploit tactic.

Targets Delivery channels Underlying tactic
The targets for most scams are users of high-traffic and very commonly used sites such as Microsoft Hotmail, OneDrive, Dropbox, Facebook, PayPal, Verizon and so on.

Email – A vast majority of phishing scams are delivered via email

Mobile – With smartphone adoption surging to new highs in recent years, sophisticated hackers have started targeting mobile phones for sending out highly targeted phishing attacks.

Message containing a link that leads to a fake site that harvests sensitive data.

Message asking to download/install a file, but which ends up installing dangerous malware that selectively transmits sensitive data.

 

By understanding the characteristics common to most phishing scams and then reviewing some commonly observed examples, end-users can develop highly effective phishing identification, prevention and mitigation approaches for safely using their favorite digital channels. It should be noted that regardless of the classification, most phishing scams are designed to gain access to a user’s personal information and/or bank and credit card details in order to conduct financial and identity fraud.

In the sections below, we provide some known scams reported for both email and mobile phishing.

Phishing emails remain one of the most prevalent methods that hackers try to compromise sensitive information.  Some common examples of phishing email scams are listed below.

 

PayPal Phishing email examples

With over 200 million PayPal accounts globally, PayPal remains a poster boy of email phishing with scammers and cyber criminals putting in inordinate creativity to dupe unsuspecting users by spoofing the PayPal brand. Some common types of PayPal phishing emails include –

 

Verify your account

When a new account is opened, PayPal requires that the email be verified. A scammer could send a legitimate looking email which contains a link to verify the account. The target of this link would typically be a site that looks like PayPal but on closer scrutiny, could well turn out to be a scam to collect PayPal credentials.

 

Your account is limited

PayPal typically restricts the dollar volume of transactions for most of its members. When these limits are exceeded, accounts are put on hold while PayPal requests and processed additional information.

A common scam is to send such a notice to unsuspecting users. The from name in email appears to be from PayPal domain (although the real SMTP sender is different) and the text typically contains a link to remove account limitations. Clicking on this link takes the user to a site which looks like PayPal and requires you to log in to proceed. Capturing your PayPal username/password then becomes trivial even for a low-skilled developer, let alone a sophisticated spammer.

 

Confirm bank account to receive funds

PayPal requires users to setup bank accounts in order to receive funds. A user may get an email containing links that ask him to confirm bank account. The link leads the user to a site which will then ask for account details including online banking username/password and even ATM pin in some cases in order to ‘verify’ that the account belongs to the user.

 

Payment received. Confirm acceptance for receiving funds

PayPal requires users to manually accept payments before they can be transferred into their bank account. User gets an email confirming receipt of some payment for an item and which must be accepted in order to receive the actual credit.  The email may contain a variety of links such as to confirm payment acceptance, view transaction details or simply log in. All these links typically lead to a site that looks like PayPal but is in fact used by a scam artist to capture PayPal login information.

 

Payment completed. Cancel if you did not authorize

User gets an email that an automated payment was sent from his account for a purchase that he most likely never made. The email looks like a legitimate receipt (copy of actual receipts that PayPal sends as receipt of payment) and contains a link to cancel the payment if this payment was made in error or contact customer service. The target site asks the user to login before cancelling or submitting a support ticket and ends up stealing the login credentials.

Instead of attempting to download any links in such emails, or acting on messages that they contain, users should report phishing to PayPal. This can be done by forwarding the entire message to spoof@paypal.com.

 

Credit Card Phishing Emails

Such emails appear to originate from one of the major credit card companies and typically contain notification of serious actions including but not limited to

  • Card blocked out due to unrecognized transaction or some other suspicious activity
  • Account locked due to too many unsuccessful online verification attempts
  • Notice of chargeback and a link to view disputed transaction details
  • Expired PIN or transaction password and notice to reset before allowing further use

Hackers use alarming typography and near perfect duplication of branding from the original company to send out these emails and which contain links to rectify the situation. Clicking on the link redirects the user to a phony site designed specifically to capture account information.

 

Dropbox Phishing Email

Dropbox is a popular online file sharing service used by millions of users worldwide and the sheer scale of its adoption has made it highly susceptible to abuse by skilled hackers. Two types of scams are commonly observed.

 

Email containing link to a shared file

This takes the form of an email apparently from Dropbox and which asks you to view a file that another user shared. Clicking on this link redirects to a fake site that simply collects your Drobox account credentials. The hacker could than transfer malware to your online account and which when downloaded to local hard-drive, could significantly compromise personal information from local files, downloads and browsing history.

 

Email containing link to malware

In this example, a hacker could upload malware onto his account and then share this with you. Unlike the previous instance, this email will actually be from Dropbox but clicking on the download link will simply download malware to your local computer.

A best-practice in all cases of Dropbox phishing emails is to never open a link from someone you do not know. Not only should you ensure that any links point to a valid Dropbox account, but also that you are able to inspect any files to be downloaded before you actually bring them home.

 

OneDrive phishing email

Like Dropbox, OneDrive is an online file storage and sharing platform that is heavily used by Microsoft users, especially in corporate environments. With such a huge install-base, hackers can literally hit gold if they can somehow get users to click on unsuspecting links that involve downloading a file, but which end up either installing malware, or stealing the login credentials by redirecting to fake, account harvesting sites.

 

Verizon phishing email

A very common example of a Verizon phishing email is when a user gets a notification about pending disconnection due to unpaid bills. Unsuspecting users will typically click on the link and be directed to a site that not only makes a fraudulent charge but also captures the user’s credit card information and personal account details. While false credit card usage charges may be disputed relatively easily, it is far more difficult to deal with identity theft that results from a scammer knowing your personal details.

To Verizon’s credit, they provide a fairly up-to-date database of known phishing scams reported by the Verizon user community.  

 

Wire transfer phishing

This type of scam is more common in corporate environments. In this day and age of LinkedIn, Facebook and other such channels, it is rather trivial to harvest a known individual’s official email, contact details, job title, and company name. It is also possible for dedicated scammers to identify high value vendor/client relationships by getting access to key corporate activity around financial transactions and projects. With this information, a scammer can impersonate as a Vendor and send an email to a Client. The Client user knows the Vendor rep by name, recognizes the contact details, and also the signature address. The Vendor politely reminds the Client about a pending invoice which will carry a surcharge if not cleared soon and which may also result in service interruption. The unsuspecting client readily follows the link and makes a wire payment without realizing that the email was actually from vendor@xyzcompony.com and not vendor@xyzcompany.com .

While less common than some of the other phishing email scams, wire transfer phishing scams can often result in substantial and irrecoverable financial loss especially if payments are sent abroad and to companies registered under foreign jurisdictions.

 

Phishing Facebook

With over 2 billion monthly active users, Facebook remains one of the top social media platforms for phishing. Imagine receiving a genuine Facebook message from one of your connections to click on a link.

Chances are that you will click without thinking twice. Why shouldn’t you? After all, the message is genuinely from one of your connections on Facebook. The only problem is that this message was not sent intentionally and is in fact, a phishing email sent from a compromised account.

You click on the link and become host to malware (e.g. trojan horses) which now control your local computer and can easily intercept and steal any sensitive information that you send over the internet or access locally.

 

So how do hackers gain access to Facebook accounts?

Following are some examples routinely reported by users in the Facebook security community

  • You get an email saying that your account has been disabled temporarily for posting offensive content, spam, or any other content that violates Facebook platform usage policies. The email asks you to click a link whose target is simply designed to harvest your account credentials. The message appears entirely legitimate (branding etc.) and comes from ‘Facebook Security’ as email sender and is signed-off by ‘Facebook Team’.
  • You get a fake email saying that your account has been reporting for annoying or insulting other users and that it will be disabled soon unless ‘reconfirmed’.  It contains a link that redirects you to a bogus site designed to capture login credentials and other identity/payment details in order to ‘confirm’ your identity.
  • An email claiming that your account has reported ‘suspicious activity’ and that you must follow a link to confirm your identity within 12 hours or your account will be permanently disabled.   

As hackers get more creative, more such emails would flow through. Facebook has morphed into much more than just a social networking site and now allows users to login to other sites using Facebook and even to make payments via its platform.

The impact of an identity theft on this platform could potentially be disastrous. Never click on any link in any Facebook email and always login directly into Facebook to check the issue. If there has been a genuine breach of security or some other policy violation, it is likely that you will not be allowed to log in.

 

Mobile phishing scams

When it comes to using mobile phones, phishing is commonly implemented in three forms –

 

Using malicious apps

A scammer can create a lookalike of a popular app and then program it to capture sensitive information such as username, password, social security number of bank account details. The attacker can then distribute the malicious app through various stores so that it can be installed by unsuspecting users. Examples could include-

  • A malicious app downloaded on a jailbroken iPhone. Such phones typically lack the rigorous security of standard iTunes store and are highly vulnerable to malicious apps-
  • An app downloaded from a store other than Google Play for Android users. There are many cheaper stores out there for Android phones and which lack the checks and security practices employed by Google. Downloading apps from such stores may well result in malware being installed on your phone.

 

Modifying the behavior of existing popular apps

Many popular apps deliver content using internal browsers. A skilled scammer can easily launch man-in-the-middle attacks to modify the content show and capture sensitive information.

 

SMS phishing

So, what is a phishing text message? It is a type of phishing scam when attackers send phishing SMS (Short Message Service) in an attempt to lure the recipient into providing personal or financial information.

‘Smishing’ as it is frequently called can involve –

SMS containing malicious links

Typically, these messages ask you to click on a link which then redirects to a site where personal/financial information is solicited and stolen.

Automated texts asking to text back

This would be an SMS that attempts to create alarm (e.g. your bank account security compromise, ATM pin locked out, providing confirmation of a legitimate sounding request) and then asks you to reply with some pre-defined text.

Never click on such links or reply to these texts as this could easily result in malware in being installed on your cell phone. This could have devastating consequences ranging from using your phone’s internet connection to have you incur significantly extra data charges, through to stealing highly sensitive information from your phone.

 

Business Email Compromise

Business email compromise (BEC) is a type of phishing attack where a scammer sends out an email using the account of a senior executive (most often as the CEO) and attempts to get the target (typically internal to the company) to transfer funds or other sensitive information.

BEC attacks, unlike normal phishing attacks are highly targeted and involve a lot of planning and use of social engineering techniques on part of the scammer to create legitimate sounding spoof emails.

Given the highly personalized nature of BEC attacks, and the fact that they rarely involve use of malware, such attacks can easily bypass commodity anti-virus software and other threat protection tools and cause crippling damages.

According to a recent report, the total identified global losses from BEC attacks stand at a staggering $12.5 billion with more than 30,000 complaints submitted between June 2016 and 2018 via the Internet Crime Complaint Center platform (IC3).

 

What does a BEC attack look like?

To be honest, they look like an email where the Display Name is the name of a top executive, but the email address is not at the domain of the company.

An example would be John Smith <john@company.com) and the email comes from John Smith <john@company.co)

Notice that the domain name is different, co vs. com…. and at times this is all it takes!

Almost all BEC attacks can be broadly classified into following five stereotypes based on the IC3 complaints mentioned above – 

 

Supplied swindle or Invoice fraud

In this type of attack, a business that has a longstanding relationship with a vendor receives an email asking to pay out an invoice to an alternative account to the one normally used. The email is well disguised in terms of branding and look and feel and sent out from an account that is normally known to the recipient.

 

Email account compromise

This is similar to email spoofing in invoice fraud except that the phishing email comes from a hacked account. There is no malware etc. and given that the sender’s account is genuine but compromised, any checks on validity of sender email address fail to detect the threat.

 

CEO Fraud

A CEO’s account gets compromised and then a staff member gets an email request to do a wire transfer for a certain amount to bank X for reason Y. Given the amount of research that has gone into this targeting, the reason Y is typically very convincing and legitimate.

 

Attorney impersonation

This type of attack involves emails coming out from attorneys or law firms who ask for payment on behalf of their clients in lieu of settling disputes.

 

Data theft

This type of attack typically targets HR or Finance departments in an attempt to steal employee data which can then be used to compromise individual accounts, or identity theft.

Whether the phishing email involves impersonation or account compromise, BEC attacks are very hard to identify and prevent given that they do not involve downloading any malware or ask the targets to visit fake sites.

 

CEO Fraud

CEO fraud is a special type of phishing email that impersonates senior company executives (most often the CEO) and issues requests to some other staff member to make payments or share other sensitive corporate data. This impersonation can happen both via email spoofing and account hacking. Whereas spoofing involves an attacker sending out an email that looks to be from the CEO, the email actually originates from some other domain or company. In account hacking, the attacker manages to compromise the CEO email credentials and sends out payment requests through the actual account.  

Both types of CEO fraud involve highly targeted, spear phishing whereby extensive social engineering techniques are used to first gather important contextual data about the victim who is impersonated and his/her working environment. This involves details such as contact name, departments that he directly controls, people who are authorized to make payments in that company, and information about key projects and vendors. Scammers often also keep a close watch on the Senior Executive’s movements and send out the campaign in his absence in order to justify the request via email rather than in-person.  

 

Zero-Day Phishing Attacks

Traditional anti-phishing technologies have two key components

  • They rely on comparing email links and rogue sender domains against a database of known culprits and then take corrective action where appropriate.
  • They block out emails containing known virus and other malware that are commonly circulated via emails.

In both cases, these tools rely on historical data about spam links and malware to take corrective action. However, launching a new phishing site is a trivial matter that can be accomplished within an hour in most cases. Also, scammers routinely develop new forms of malware and it typically takes a minimum of 48 hrs. for signatures to be developed and deployed. This allows sophisticated attackers to run phishing campaigns in a narrow window when the target phishing links/domains are new or when they circulate malware that has not been identified yet or for which no security patch has been released. These are called zero-day phishing attacks and require advanced, real-time attack monitoring, identification and prevention capabilities.

 

Zero-day phishing attack prevention technology-Key features

Different products offer different coverage and depth of threat identification ranging from monitoring of Microsoft macros, checking embedded code in HTML emails, inspecting hidden JavaScript files, and monitoring infected PDFs or other attachments. At a conceptual level, all these features can be broadly classified into two categories –

 

Intelligence email inspection

In many cases, advanced machine learning techniques are used to verify if an email is a forgery by inspecting key elements such as subject line, font sizes and styling, paragraph formatting, monitoring the text for grammatical and punctuation errors or even its tone, identifying non-existent sender addresses and so on. Most of these tasks are practically impossible for a casual reader to do, without spending an inordinate amount of time analyzing every email.

 

Deep link inspection

Advanced software can actually simulate user behavior around what happens when an email link is clicked. Links are automatically flagged if clicking on them results in known symptoms of phishing. This means that even newly registered links that are not yet present in any blacklist or database can be flagged before they cause harm.

Given the stakes involved in spear and whale phishing attacks, scammers go to great lengths in designing innovative scam campaigns that can have devastating effect if successful.  User education and awareness is necessary but not enough and organizations must also consider deploying such highly specialized, purpose-built email security solutions that are designed for multi-dimensional threat protection including preventing zero-day attacks.

 

Whale Phishing

Whale phishing is a term used to describe phishing attacks that are targeted specifically at wealthy, powerful and prominent individuals such as C-level staff in corporates, high ranking public officials, and senior government ministers. Because of their status, if such an individual is successfully targeted, he can be considered a ‘big phish’ or alternatively, a ‘whale’. While successful whale phishing attempts have been reported for all categories of senior officials above, they are most prevalent in the corporate world and hence, also referred to as CEO fraud.

 

How do whale phishing attacks work?

Almost all whale phishing attacks share the same blueprint. The victim receives an email from a high ranking, senior individual asking him to perform a high-value action such as initiate a wire transfer, carry out some financial transaction, or share information that is normally tightly access-controlled. These attacks may also involve asking the victim to visit spoofed sites that are actually designed for harvesting information or or opening a password protected PDF file that may contain malware. Since the request comes from a person of authority and is usually well disguised, it carries a sense of authority and urgency that compels the victim to act.  It’s social engineering at it’s best.

 

Whale phishing attacks in the digital age

Given the potentially high returns in whale phishing, attackers go to great lengths to create highly targeted and personalized emails. Public information on sites such as LinkedIn, Facebook, Twitter, Quora etc. can provide very detailed information about individuals in specific companies. These could entail details such as name, job title, date of joining, names of people working in a particular department or even the travel schedule of the CEO.

Once a target has been identified, getting his email using his LinkedIn profile name and company domain name is a trivial scraping matter and many prospecting tools exist that specialize in such email harvesting. Once the email is known both for the senior official and his staff, attackers could easily create visual look-alikes of logo, signature etc. and then launch highly personalized whale phishing attacks. We know of cases where the ficticious CEO called an employee to wish them happy birthday (gleaned from Facebook) and then in an email a few days later referenced the call. He said, it was nice to chat to you on your birthday, I will be getting onto a plane in a few minutes, heading to the XYZ conference (from the companies social media) and I need to you handle a few things before I land….The employee fell for it hook, line and sinker. A perfect phish.

 

Whale phishing examples

These are just a few of the examples that make the headlines. Given the high rewards associated with this type of attack, it is entirely plausible that sophisticated attackers have attempted to scam a large number of other businesses, and may well have been successful in many cases.  

 

Snapchat whale phishing

In 2016, popular social media app Snapchat fell victim to a whale phishing attack when a high-ranking employee was fooled into revealing employee payroll data to a scammer. Payroll data contains sensitive information around national identification number, bank details etc. and could easily lead to identity theft if it falls in the wrong hands. The employee in this case, had responded to an email that looked to be from the company CEO.

 

NCC group whale phishing

NCC group, a global provide of independent assurance services reported in 2015 that it was the target of an unsuccessful whale phishing attempt in which attackers tried to con the company staff into sending out a large wire transfer.

 

Tewanga whale phishing

Others were not so lucky. The Executive Director of Tewananga, a finance firm in New Zealand, had to quit her job when she fell victim to a phishing email that appeared to be from here company CEO and which asked her to do an electronic funds transfer.

 

Spear Phishing

Spear phishing is a kind of a phishing attack that targets specific individuals for fraudulently seeking out sensitive information such as financial details, personal information, trade or military secrets. While regular phishing attacks can come from any source, spear phishing involves sending out emails from someone already known to the target. Attackers leverage a couple of important principles to make a convincing attempt at spoofing.

The key thing to remember is  that the email is about social engineering. You are trying to convince someone to take an action, either because it is an expected part of their job function, or because they are motivated to take action based on the urgency of context of the message.

For spear phishing to work, the message needs to be sent out imitating someone already known to the target on a personal level or professional level and the message content must be timely, logical and contextual.

So, unlike mass phishing attacks that simply send out random emails to a large group of people, spear phishing attacks limit their focus to a highly targeted groups or even individuals. We know of many attacks where the Payroll people were identified by their Linkedin Profiles and the attacker made it look like the email came from the CEO and CC’d the payroll manager in the message.

These attacks are not random and involve meticulous planning on part of scammers, typically through social engineering techniques, in identifying targets and preparing compelling messages that solicit action.

 

Spear phishing attack examples

One of the most glaring examples of spear phishing in public sector involves the case of Charles Harvey Eccleston who pleaded guilty to sending out emails to U.S Department of Energy employees. These emails carried a virus that could potentially compromise government computers and result in sending sensitive data about US nuclear weapon program to foreign governments.

In the corporate environment, one of the biggest spear phishing attacks was that on email marketing services company Epsilon back in 2011. The company maintained large databases of emails from multiple corporate clients and more importantly, some very rich behavioral data that could be a goldmine for sophisticated scammer. The attack involved an email with a link to a malicious site which resulted in downloading of Win32.BlkIC.IMG, which disabled anti-virus software, a Trojan keylogger called iStealer, that was used to steal passwords, and an administration tool called CyberGate, which was used to gain complete remote control of compromised systems.

 

Spear Phishing Prevention

Given their highly personalized nature, spear phishing attacks are far more difficult to prevent as compared to regular phishing scams. There is no fixed script that can be followed to prevent spear phishing, but the following best practices almost always work

 

User Education

Awareness, and vigil can help guard against even the most sophisticated attacks. Sketching out the anatomy of a typical spear phishing attack and outlining the perils of falling victim (personal identity fraud, financial loss to company, parting of important trade secrets etc.) can make the users more vigilant in dealing with emails involving links and calls to action.

 

Investing in the Right Technology

Spear phishing involves attackers using emails, file sharing, and internet browsing of target users to gather information which then leads to a targeted attack. Effectively preventing these attacks would require monitoring all these activities and, in many cases, in real-time. This is why, users must invest in the right technology that is purpose-built for such multi-dimensional threat detection and management scenarios. This is very different to antivirus or other malware protection tools that look only at isolated instances of attack.