I’m guessing that you’ve heard of phishing, and I thought I’d provide some words around related topics. Let’s start at the beginning though.
Most people with email will have received a phishing email at some point. Essentially, it’s a mass mail sent to a lot of people indiscriminately, in the hope that one or more of the recipients will reply or click on a link in the message. The bad guys have either provided a link to a compromised website, or which will download and install malware, or something like that, or they note the replies they receive and build a list of people to target with the sort of fake IT support calls you’ve probably read about. These types of attack are relatively simple and unsophisticated. They don’t target individuals and are effectively a random attempt, a bit like fishermen on a trawler using a net: their catch is indiscriminate.
This type of attack is a bit more sophisticated. It follows the same sort of approach as above, but focuses on specific individuals. These emails typically include your name and may also include a little bit of information about you, and will likely be more targeted around some of your likes and interests. Because they are specifically directed at you, and you are they prey, you become the fish that the bad guys try to get without looking at others around you: hence “spear phishing”.
This is really just a version of Spear Fishing, but targeted at the biggest fish (OK, so I know that whales are mammals, not fish, but that’s beside the point). As these are the big fish, you can imagine that these are the biggest prize. Typically the bad guys try to get their hands on large sums of money, and may involve more skillful techniques like phoning an employee (a technique sometimes called voice phishing, or vishing) in finance and pretending to be one of the big fish, saying that they’ll be emailing shortly to request immediate payment of a bill. Who queries the boss, right? This type of attack is definitely on the increase.
So how do you protect yourself from these sorts of attack? The following tips may help:
- If it seems too good to be true, it probably is
- Don’t click on unknown links in email
- Don’t reply to messages from people you don’t know
- If at work and you get an email from senior management which eg doesn’t follow normal processes, ask for confirmation / clarification – but not by replying to the mail
- Be vigilant – phishing and related attacks are on the increase
5 thoughts on “Phishing and Whaling”
[…] regularly; apply patches frequently; change your passwords regularly; and don’t click on email attachments or links which you weren’t expecting or from sources you don’t […]
[…] laundering, dealing in illicit arms and drugs etc. They are involved in virus attacks and phishing on a large scale, and are in many ways one step ahead of law enforcement in an ongoing battle of […]
[…] one of my previous posts, I talked about Phishing and Whaling, and I realised that I haven’t really talked about email itself yet. Email is […]
[…] this outbreak that the things I’ve been talking about – patching, antivirus, backups, phishing awareness etc – which are all simple things to do but often neglected, are all really good protection […]
[…] phone he uses, so that tells me more about him too. This is all information I could use to mount a spear phishing attack, if I was so […]