Book a Demo
Demo Centre

Emma Woods

There's Plenty More Phish in the Sea

Phishing is one of the most dangerous attacks that any company or individual faces. It seems there is a different type of phishing attack tailored to everything on the internet. But what are the most dangerous?

Woman connecting cellphone and laptop computer-1

 

1. Angler Phishing- The impersonators.

Angler Phishing is a new method that cyber criminals have started to invest their time in. This type of phishing mainly relies on social media. A criminal will first create a fake support page for any social media channel, such as Facebook. The aim of the fake support pages is to redirect the victims to a phishing website, where they will be asked to log into their personal account.

With the growing number of social media users, this form of attack still remains a favourite of cyber criminals. Their methods are constantly advancing and becoming very difficult for people to spot.

Researchers believe that by 2019 a third of the world’s population will have at least one social media account each. Hackers are no longer putting all their efforts into email and mobiles anymore - the security games are changing and evolving, and therefore widening the variety of targets. These days the biggest security challenge companies face is, in fact, social media. 

Cyber criminals may wish to hijack a brand's logo or otherwise cause them embarrassment. This can be very damaging to a brand, as a poor reputation can be hard for the public to forget. Fake accounts can also be used as the result on well-intentioned staff that take on themselves to create social media profiles for their company, before asking for authorisation.

 

Screenshot of Angler Phishing on a fake pay pal Twitter account.
 (AskPayPal_Tech was an example of a fake corporate account made for luring unsuspecting customers onto phishing pages.)

2. AI Phishing- Man vs Machine.

AI has been hitting the headlines a lot recently. It has the potential to make everyone's lives easier, but it seems the tables have turned for AI, something that once helped us prevent phishing now seems to be doing the complete opposite.
 
Hackers are now using it to phish the never- ending list of social media accounts. Robots can now mimic the writing styles of millions of people to launch many cyber attacks, and this is only helping cyber criminals succeed. AI can not only save time for criminals but also make the phishing emails more believable.
 
Phishing scams are already very dangerous and succeed far too often. Hackers have now taken their attention to AI to help develop their phishing methods - AI can gather information from the victim's social media accounts to then automatically customise phishing emails to entice the victim to click on the email.
 
AI is very new and is still being tried and tested. It is already capable of creating authentic- looking email, whilst scanning through victims social media channels for information, it makes you wonder, what else are they capable of?

 

AI robot mimicking an employee of a bank.

 3. Business Email Compromise- Man in the email attack.

This type of attack is very similar to your average phishing email. However, the criminals will impersonate a CEO of a company or someone with high authority. The aim of business email compromise is to get the target to transfer funds or sensitive information over to the phisher. Unlike traditional phishing attacks, which target a large number of people, the BEC attack is highly focused. What makes this attack so successful is the time a cyber criminal spends scraping compromised email accounts and research employees on social media for information, in order to make their emails look more authentic.
 
Business email compromise attacks aren't always after your money, depending on the motive of a cyber criminal, they could be after anything like your data, money or even your identity. Many companies already assume they will not be a target of a cyber attack, so they never take any security measures. Criminals are constantly advancing their skills to do whatever they can to succeed. It is very easy for a hacker to forge a business email or to intercept emails from your domain name.
 
A phisher impersonating a CEO of a company and requesting private information. 

4. Botnet Phishing- Commander of Zombies

Botnets were first designed to help facilitate phishing emails, not create them. A Botnet is a network of compromised computers that are used for attacking systems. Criminals are using these bots to do all of their dirty work for them. The bots will send out a mass of phishing emails to trick consumers into giving away their money. Cyber criminals websites and networks, either way the criminal will always be making money from these botnets.

Although some botnets are completely harmless, there's still a large amount of them being used by criminals for nothing but cyber crime. When hackers send out phishing emails, they will always target as many people as possible they might also take the opportunity to use your email account to send all of your contacts phishing emails as well. When your computer is part of a botnet, the hacker does not want your computer leaving it.... ever. The same malware that infected your computer (to make it part of the botnet) will also prevent you from downloading or running any antivirus programs.

 

A phishing email from a botnet attack.

 

 

5. Charity Scam Phishing- The emotional Manipulator.

You wouldn't think it but charity scams are becoming pretty common, they're very simple to conduct. All it takes is a a criminal to create an email that appears to be from either a well know charity or even a charity they have never heard of before.

The email will ask the recipient to donate money to support the charity. Scammers will more often than not play with your emotions this is why charity phishing is very successful. The email will claim that the money you donate will help children/adults who are suffering from something, such as an illness.

Deception is often the root of these attacks, all the criminal needs to do is manipulate the target into giving away their money. Sometimes all it takes is a simple play on the victims' emotions. The email will usually tell the victim their money will be going to a great cause to support people suffering from a "lifelong disease” anything that can be used to play with your emotions will most certainly be in the email.

This type of phishing solely relies on the art of social engineering. Scammers will do anything to make their phishing emails look as legitimate as possible whether its create a fake website or use a companies logo in the email, they will do anything to make it believable.

A fake charity email requesting the recipient to donate money.
 
 
 
 

6. Clone Phishing- The Terror of Two.

Clone phishing is particularly difficult to identify. A cyber criminal will clone a legitimate email the victim has already received in their inbox. They will replace the attachment with a malicious attachment or download. The cloned email usually claims to be a resend of the original or an “updated version”. The email will either be used to extract personal information from the victim such as a username and password or to corrupt the target's device with malware. A successful clone attack can often lead to additional clone attacks on similar target or co-workers.

Receiving the same email twice is not something that people tend to worry about. More often than not, they think nothing of it and will click on the email. Clone phishing is becoming more difficult to spot, with the copy of the original email looking exactly the same, it increases the chances of the malicious attachment being clicked by the victim. Clone phishing can be used to indirectly pivot from a previously infected machine and gain a foothold on another machine, by exploiting the trust associated with the inferred connection of both parties receiving the original email.

 

A legitimate email cloned for a phishing attack.

 

 

 

 

7. Content Injection Phishing- The Content Manipulator.

This is a very sneaky type of phishing, it involves a criminal hacking into a specific website where they will replace certain parts of content on the website with their own malicious content. The false content is designed to mislead the victim and convince them into giving away their personal details. The hacker will record the information that has been entered by the victim, but continue to pass it on to the user's transactions are not affected. Later they will either use or sell the targets information or credentials when the user is not active on the system.

Most hackers tend to target well-known company websites for content injection phishing. If the website is very well known and has major competitors, the issue can be abused by malicious competitors or disgruntled employees. Another factor that heightens the risks, is if a hacker is conducting SEO injection, this could force customers to switch to competitors products. It could also lead to a monetary loss, or even a decrease in company shares, or devices infected with malware.

 

A manipulated content phishing attack on a banks website.
 
 
 
 

 

8. Cloud Phishing- Attack of the Clouds

Historically, phishing target users who were unaware of the practice of acquiring credentials via social engineering. In an attempt to steal this data, hackers would pose as a legitimate company or somebody they know with authority, perhaps from their work. With more and more people understanding how to spot a generic phishing email, hackers have refined their techniques and now are launching more advanced cloud phishing attacks. The victim will receive an invite to view a google docs document from a "friend", what they don't know is once you click on the attachment your credentials will be requested to “confirm who you are”.

These scams are so simple yet so effective, people don’t associate them with phishing. The aim of cloud phishing is to access all of your information and data on the cloud. For example, if it was google drive the criminal will want to try to access, your Google account, Gmail, google play and android applications.This type of next-generation phishing will see hackers manipulate user trust even further by creating a malicious application (disguised as legitimate apps). The widespread of SaaS applications has made this a very attractive vendor for cyber criminals.

A cloud phishing attempt to access the victims information on Microsoft.

 

 

 

 

9. Deceptive Phishing- The Oldest Phish in the Pond.

This type of phishing is the oldest trick in the book, the majority of people in their lifetime would have received a phishing email in their inbox. This type of phishing will either be after your data or your money. More often than not these types of email will appear to be from a legitimate source such as your bank, the context of the email will usually as you to confirm who you are or that an error has occurred and your details are needed to continue.

Even though this method of phishing has been around for a very long time, it still fools many daily. With the major advancements in technology, criminals have multiple gateways to perform their phishing attacks. Since the start of phishing, criminals have made many advancements in making their emails look more legitimate to targets, it is becoming very difficult to spot a simple phishing email now, mainly due to their “authentic” look.

Deceptive Phishing attack appearing from a legitimate bank.

 

 

 

10. Filter Evasion Phishing- The By-passer.

The awareness around phishing has certainly increased, people are doing what they can to keep phishing emails out of their inbox. Any good email client will have a built-in filter to detect and destroy any phishing emails. It may be all well and good to have these filters implemented, but it won’t stop a cyber criminal from gaining access. Scammers will use malicious images to bypass the email text filter detector.

Even though this method of phishing has been around for a very long time, it still fools many daily. With the major advancements in technology, criminals have multiple gateways to perform their phishing attacks. Since the start of phishing, criminals have made many advancements in making their emails look more legitimate to targets, it is becoming very difficult to spot a simple phishing email now, mainly due to their “authentic” look.

 

An attempt of filter evasion on an individuals Facebook account.

 

 

 

11. Hashtag Phishing- The trendsetter.

Social bots can now be used by criminals to infiltrate conversations on social networks centred around trending hashtags. Scammers will command the bot to create thousands of posts containing trending hashtags along with a malicious link. Bots are mainly used to make money from the data they have extracted, they will often sell the data to cyber criminal networks, or even use the data themselves to access the victims' bank details, and extract money from all of their accounts.

No company can control or even own the hashtags they promote people assume hashtags are innocent and have no association with phishing, this is why hashtag phishing is very successful. Retweet/Share storm is another way criminals will disseminate malicious links. Criminals will create a fake profile and then create a post containing a malicious link. Then thousands of social bots will be used to connect to the profile then retweet and share the post to reach the widest audience possible, aiming to lure in as many victims as possible.

A social bot conducting a hashtag phishing attack on Twitter.

 

 

 

12. Homograph Phishing- The undetectable.

Homo-graphic attacks are phishing schemes in which the scammer will take advantage of the ability to register international domain names, such as “apple.com”. The criminal will use non-Latin characters that look the same as Latin characters. With this technique, attackers can create the taken domain name of a popular brand such as Amazon. They will use the lookalike characters available to them to convince a user that they are visiting the brand’s site when in reality they are being phished by a well-disguised impostor.

This scam is very dangerous, you could even say its undetectable. When two domains look exactly the same, yet one of them will phish you, which one do you choose? This is becoming a very common issue, many people already know to look at the URL of a website if you are unsure whether it is legitimate, but if it's the same as a legitimate website you are bound to trust it. For an attacker Homograph phishing opens up many opportunities for them, an attacker could register for a domain name that looks just a legitimate website, but replace some of the letters with homographs, the attacker can then easily send phishing emails appearing from a legitimate source, when in fact it’s from their look-alike domain.

A homograph phishing attack on a international domain.

 

 

 

13. Key-logging Phishing- The keyboard Wizard.

Key-loggers are a serious threat to users and their data. Keyloggers track the keystrokes on keyboards to intercept passwords and other sensitive information that is typed through the users' keyboard. This then gives the hacker the opportunity to access the pin codes and account numbers to all of the users' online accounts. Keyloggers will more often than not send phishing emails to the target. The email will contain a link or attachment that will be downloaded onto the victim's computer once clicked.

This scam is very dangerous, you could even say its undetectable. When two domains look exactly the same, yet one of them will phish you, which one do you choose? This is becoming a very common issue, many people already know to look at the URL of a website if you are unsure whether it is legitimate, but if it's the same as a legitimate website you are bound to trust it. For an attacker Homograph phishing opens up many opportunities for them, an attacker could register for a domain name that looks just a legitimate website, but replace some of the letters with homographs, the attacker can then easily send phishing emails appearing from a legitimate source, when in fact it’s from their look-alike domain.

 

Keylogging attack to intercept passwords and other forms of sensitive information.
 
 
 
 
 

14. Malware-based Phishing- Double the Trouble.

Phishing itself is lethal, but phishing with malware is even worse. The number of emails carrying malware increased to a new high in July last year with one in every 359 emails carrying a malicious payload. Phishing attacks depend on more than just sending the email to the victim it's about being able to manipulate the victim into to clicking the malicious link or attachment. Unlike most phishing emails that try to get you to give up your passwords and credentials, malware based phishing is slightly different. If you click the link or attachment in the email, malicious software will be downloaded onto your device. Pretty much any device can become infected with malware.

Malware phishing is a lot more in-depth than a simple phishing email, typically the malware can collect sensitive information such as passwords and usernames from your computer and send it to criminals, sometimes the malware that has been downloaded from the phishing email may continue to download and install further malware. Depending on the type of malware that has been downloaded, could potentially make your computer join to a botnet (a large collection of infected computers that a criminal can control from afar.)

 

A malware based phishing attack appearing as the company Microsoft. 
 
 
 

15. Man in the Middle Attacks- The Eavesdropper.

Man in the middle attacks usually start with a simple phishing email, the recipient of the email pretends to be from a legitimate source such as your bank, they will ask you to log in to your account to confirm your details. There will be a link in the email that will direct you to an external website, that appears to be legitimate you will then be asked to login in and perform the requested task. Attackers sometimes target email accounts of banks and other financial institutions. Once they gain access, they can monitor transactions between the institution and its customers.

What cyber criminals especially love about the man in the middle attacks is how often they can be accomplished leaving no trail. A man in the middle attack can happen in any form of online communication such as email, social media or web surfing. Not only are criminals trying to eavesdrop on your private conversations they can also target all the information inside your devices. Essentially everyone is at risk, but the main targets are those in senior or executive positions in businesses. Hackers are always on the lookout for anyone who deals with sensitive information, particularly those who might have access to trade secrets or even financial data.

 

man in the middle attack conducted to monitor targets transactions.

 

 

 

 

16. Malvertising- The Plague of Online Ads.

Malvertising is the term given to malicious adverts which are often displayed on high traffic websites via third-party advertising networks. The adverts are used to direct web visitors to malicious websites, these websites will more often than not download ransomware or malware onto the target's device without them knowing. There has been a massive increase in malvertising phishing attacks, the aim of these ads is to obtain sensitive information, such as bank account information, passwords and other forms of credentials.

 

 

Malvertising is becoming more popular with cyber criminals as it can be so easily spread and very difficult to identify. The websites that these adverts direct users to often promises a free gift in exchange for taking part in a survey. The aim of the survey is to obtain sensitive information such as bank details, and other types of sensitive credentials. The information can be used for a wide range of nefarious purposes. Cyber criminals are keen to gain access to corporate email accounts for the data they contain and use them to send phishing emails.

A fake advert offering a free iPhone 8. Advert contains malware.

 

 

 

17. Nigerian Scam- The Internet's oldest hustle.

 A typical Nigerian scam involves an emotional email. The email will be sent to a long list of targets to increase the chances of a response. This type of scam relies on the manipulation of human emotions. The scammer will be very persistent with you and ask you to pay more and more money for additional services. This scam is most certainly a method of social engineering criminals will play with your emotions until they get what they want. More often than not, the scammer will appear to be a member of someone from a wealthy family who will ask for help retrieving a large sum of money from a bank, in exchange they will say they will return the money. 

Several years ago, Nigerian phishers appeared on the radar for the first time. This method is one of the most famous phishing scams known to man. As the scammer promises to return the money, victims will usually send money across. The time-tested formula for these frauds is to draw in the victims with a series of messages these messages will mention a large sum of money, the scammer will gradually manipulate victims into revealing bank account details or forwarding money to the scammer.

A Nigerian phishing email requesting money from the recipients.

 

 

 

18. Pharming- The DNS Hijacker.

Pharming refers to redirecting website traffic through hacking, whereby the hacker implements tools that redirect a search to a fake website. Pharming will cause users to find themselves on an illegitimate website without realizing the website will look completely legitimate. Pharming is certainly not new but is still a favoured method of attack. Unlike most forms of phishing, pharming actually takes a great deal of technical acumen.

Just like any type of social engineering attack, pharming depends on the fact that people are often the weakest link in the security chain. While pharming is not as common as phishing scams are, it can affect many more people at once. This is especially true if a large DNS server is modified. Phishing attempts to scam people one at a time with an email, while pharming allows the scammer to target large groups of people at one time through domain spoofing.

 

Pharming attack on amazon website.

 

 

 

19. Search Engine Phishing- The Answer Machines.

You can guess from the name what this type of phishing involves. Search engine phishing occurs through online website search engines, such as Google and Bing. The victim will encounter offers or messages that entice the person to visit the website. The search process will seem legitimate, but the website is actually fake and only exists to steal personal information. Search engine phishing can come in many forms, there could be discounted offers, job offers or even a free prize of some sort, sometimes the scammer may choose to scare the victim instead with providing information due to some emergency or urgent situation.

People tend to forget that these fraudulent pages exist on legitimate search engines. These type of scams can cause financial losses for individuals and businesses as well. Unfortunately, these type of scams aren't easy to spot until you’ve visited the phoney site. Search engine phishing scams can come in many forms, such as Free/Discounted offers. The website that you visit may offer products at discounted prices or for free, in order to obtain the item confidential information will be requested. Another form of search engine phishing will advertise job offers, information such as social security number will be requested, this is where the criminal will use the targets information to either steal the victims' identity or to gain access to their money.


A search engine phishing attempt in the form of a Google advert.

 

 

20. Social Media Phishing- The Pandemonium of Privacy.

Nearly everyone has a social media account of some kind. Unfortunately, attackers know this and often gather information from all of the potential targets from their social media channels. Social networks are becoming a very popular source of information for these phishers. It’s much easier to customise these type of attacks because the information they require is already available to them. The rise of social media has paralleled the emergence of phishing as a security threat to the enterprise.

Spear phishing in particular benefits from the social network world. By their very nature, social media sites make it easy for us to stay in touch with anybody. On social media, pretty much everyone lets their guard down. One phishing attack tailored for the look and feel of a single social network can easily target a very large amount of people. With the growing use of social media, this is going to make these types of attacks much more common and effective.

Scammers on social media sites are masters of their craft and their tactics are demonstrably more effective than their email-based counterparts. Social media phishing can range from spam bot comments to phoney competitions and dangerous direct messages from “friends” and “family” requesting you to click on a link or malicious attachment.

 

An image of 3 fake Facebook profiles.

 

 

 

21. Spear Phishing- Bait, Hook and Catch.

Phishing never stops growing and reforming, there seems to be a different method of phishing tailored to everything out there. Spear Phishing, is a much more targeted approach towards a specific individual or business. The intent of this type of phishing can vary from wanting to gain access to personal data to installing malware on the victims' device. People tend to forget cyber criminals are very patient people, if they need to they will wait for the right moment to occur. Whilst the attacker is waiting they will use this time to learn as much as possible about the individual or the business. With this information, they will use it to tailor their phishing email to target, therefore, increasing the chances of success.

Unfortunately, cyber criminals are becoming much more adept at crafting convincing spear phishing campaigns. A wide range of social engineering techniques are used to fool employees into responding to the emails, the campaigns are becoming extremely difficult to identify. Unlike your usual phishing attack that will try to convince the victim into clicking the link or attachment in the email to the enclose personal information or download malware onto the victim's device. Spear phishing attacks are a lot more sophisticated, time and effort are put into them. Spear phishing messages are customised with specific references to people and projects that recipients know.

 

A spear phishing attack from a phisher appearing as a CEO.

 

 

 

22. Smishing- The Scam That Fits In the Palm of your Hand

Most people are familiar with the term phishing, where an unsolicited email asks you to provide sensitive information such as credentials. The term Smishing is a mashup of the word phishing and SMS (short message service) just like a phishing email the aim is to obtain your personal data. The text messages are usually from your bank asking you either to verify who you are, or that somebody has tried to gain access to your account, either way, the aim of the message is for you to hand over your details. Scammers use a variety of techniques to trick people into giving away their information or clicking on links, Smishing is not new, but a lot of people are less cautious with a simple text message that they are with a standard phishing email.

Smishing scams have been around since 2008. When you click on the link in the text message, it’s just like clicking the link in a phishing email. You will be redirected to a bogus site where you will be requested to fill in your information. Sometimes clicking on the link in the text may install a keylogger instead, the keylogger will be able to track everything that is typed into your phone, this saves a lot of time for the criminal to access your data without even asking for it. Smishing is a very attractive type of attack for criminals, it does not take up a lot of time to create and is much cheaper than trying to hack into somebody's device.

A smishing text appearing from a legitimate bank, requesting information from the victim.
 
 
 

23. Snowshoeing- The Spam God.

While spam itself is usually harmless, there is always the threat that snowshoe spam might evolve into a gateway for a large and more sophisticated phishing attack. Like all spammers, snowshoeing spammers anticipate the some of their unwanted emails will be trapped by the spam filter. However snowshoe spamming gives more emails a chance at getting through an inbox, where it can reach a computer user. To make matters worse, it is very difficult to block snowshoe spam, the content of the emails always resemble a legitimate email, it is very hard to identify whether the emails are authentic or not.

Snowshoeing spam is not sent from one computer, but instead is sent to thousands of users, each sending messages in a low volume. It may be easy to block spam coming from one location, but when it comes from many, it becomes difficult for anti-spam, software to keep up. This new technique evades detection by using a large number of IP addresses to spread out the spam load. Therefore making it hard to identify and trap the spam email. This method continues to be effective and doesn’t seem to be slowing down anytime soon, the volume of snowshoeing is on the rise, reaching more inboxes and jeopardising end-user productivity.

Linkedin snowshoeing attack, sent from thousands of computers.

 

 

 

 

24. Tabnabbing- Never Turn Your Back

Tabnabbing is a type of phishing scam where a website that you have open changes its appearance, to look like a different, but familiar website while the tab is open and inactive. The changes to the website will not be dramatic and obvious, the criminal is trying to make it look exactly the same. With the advancements in technology, this allows con artists to rewrite tabs as well as the content on websites while the tabs stay inactive. The attack takes advantage of the user's trust and intention while opening multiple tabs in a browser and can deceive the victim in submitting sensitive credential or sensitive data.

Traditional phishing techniques largely rely on a link or malicious attachment, if the user is educated and suspicious enough to ignore the email, then the attack fails. These days scammers are able to spoof just about any legitimate website. Tabnabbing is particularly dangerous if you enter your information on a phoney website that is pretending to be your online bank account. As well as being able to tweak and change the website tabnabbing allows hackers to detect which website the user is visiting or what websites the user visits regularly.

Tabnabbing attack on the search engine Google chrome.

 

 

 

25. Vishing- Dialling for Dollars.

Phishing by email is not the only way someone can be tricked into giving away their data. It is becoming quite common for hackers to phish somebody by a phone call. As long as consumers have money to spend criminals will most certainly work hard to steal it. Vishing itself relies on social engineering, unlike phishing the criminal can no longer hide behind a screen and type some excuse to why the victim should hand over their personal details. Vishers have to speak to the victims via a phone call. Vishers will more often than not impersonate someone from a particular job role such as someone working for a bank.

One very common misconception about vishing is that the attacks target average consumers. However, businesses are also common in the cross hairs. If a scammer really wanted to, they could target businesses, not only to obtain private user information but also to potentially scam those businesses out of their money and data. The vishers use many techniques to succeed in their attack, many of them choose to mumble throughout the conversation to make it unclear to the victim what is being said to them. A new technique vishers have started to use is to appear as IT support, this makes the victim think they can trust the Visher as they have “IT experience”.

 

Vishing attempt to steal an individuals personal data.

 

 

 

26. Watering Hole Attacks- Predator vs Prey.

The term "watering hole attack" is a malware-based attack in which the hacker observes the websites visited by the victim, the attacker will then infect all of those websites with malware. Unlike phishing, that targets the victims directly, this method of attack involves the scammer setting up a trap and waiting for the victims. Legitimate sites are infected with malware or phishers will create bogus sites (often imitations of legitimate sites) and the targets are the users that frequently visit those sites. “The term watering hole attack” refers to predators in nature that lurk near watering holes in hope of attacking a nearby prey. In the cyber world, these predators stay on the prowl near websites which are frequently visited by their prey.

ust like spear phishing, watering hole attacks hold a high success rate. Why? Because the information the hacker requires is easily accessible just by using simple techniques and tools. Watering hole attacks are strategically planned, instead of targeting random websites, the attackers will carefully select legitimate and trustworthy websites that are used regularly. Once the attacker infiltrates the network they can also modify or delete any crucial files and then initiate harmful attacks resulting in a huge loss or respect, money and data. These attacks have an upper hand on other forms of phishing attacks, with their ability to work without employing exhaustive social engineering techniques, it involves a lot less work. The only requirement is to compromise a website.

 

Step by step process of a Watering Hole phishing attack.

 

 

 

 

27. Whaling- Going After the Big One.

Just like phishing, whaling relies on social engineering methods to get the target to give away their details. A whaling attack specifically targets senior management that holds power in the company as well as the ones that have access to valuable data. The name whaling is used because of the size of the targets relative to those of the typical phishing attacks. Whaling attacks are more difficult to spot because they are so highly personalised and are only send to selected targets within a company. Criminals tend to get a high retain from whaling attacks, attackers spend more time personalising the email as much as possible. Before the criminal even sends the email to the victim, they will research their victim on social media and any other profiles they have online, just to gain all the information they can about them.

Whaling attacks can easily be mixed up with phishing attacks due to their similar nature. They are both online attacks that are aimed at users, whether it be employees in a business or just random people picked out of a hat, pretty much everyone is a victim. Whaling itself is actually a form of spear phishing. Both spear phishing and whaling take up a lot more time than a simple phishing email. A lot of research is conducted just to make the email more authentic and believable, as the email is only getting sent to a small number of people, the success rate will be a lot lower. The attackers will always want to utilise the authority of the “whale” to convince people to do what they want.

 

Whaling phishing attack, phisher appearing as CEO of a company.

 There's no simple answer to combat the ever-growing phishing threat. Part of the issue is due to a lack of security awareness. Even though phishing has been around for quite a while now, not many people know how to spot or prevent it. The answer is simple really... Implement a good security awareness program, it will allow you to locate your end-users knowledge gaps and educate them on the cyber threats that could destroy the business. 

Phishing Awareness Kit

Read next

Topics: Phishing