What they are and how you can avoid them
It’s been two and a half decades since the term phishing was coined to describe hackers stealing AOL accounts and passwords.
Since then, not only has the Internet evolved but so have attackers’ attempts to use emails to lure users into entering passwords.
There are three types of phishing campaigns attackers use to obtain information or download macros into corporate IT networks.
- Phishing emails are sent out to a large group.
- Spear phishing campaigns are targeted to a narrow group of individuals.
- Whaling campaigns go after high-profile employees.
At The KR Group, we know users are a company’s biggest vulnerability, so we test users’ awareness of phishing campaigns in our Purple Team Hive Assessment. By showing exactly how vulnerable companies are to phishing scams, we’ve taught hundreds of people how to avoid this security downfall.
The first step to identifying any of the three types of phishing scams is understanding what they are and what they look like.
What is phishing?
A phishing email is a broad attempt by attackers to obtain information from your users and, ultimately, deliver malicious content.
Phishing campaigns use a “spray and pray” approach when sending out emails.
Attackers spoof an address they believe users will mistakenly trust and send an email blast to a contact list they acquired from the dark web or through extensive research.
They then hope some of the users are lured into entering confidential information or downloading a malicious file.
As a security adviser whose services include an ethical phishing campaign, here at The KR Group, we have seen firsthand how effective this type of attack can be.
These emails look similar to real, malicious phishing emails, but don’t record any of the user’s information.
Phishing campaigns aren’t always so generalized, though. That’s where spear phishing comes in.
What is spear phishing?
Since users are becoming wary of phishing scams, attackers are evolving their methods and narrowing their focus.
While phishing campaigns are sent to the majority or all of your users, spear-phishing campaigns are targeted towards a specific set of employees. The attackers send these kinds of emails to a specific department or select individuals in your company, and they’re successful.
Around 95% of all attacks on enterprise networks are the result of a successful spear phishing attack.
Spear phishing campaigns usually involve some type of research on the attacker’s behalf to determine how he or she should target your organization and make the email appear more genuine.
A common example of spear phishing we see is an attacker posing as the chief financial officer or the head of the financial department and asking for other finance department employees to enter company credit card information for payment.
As you might guess, phishing schemes don’t stop there. Attackers have also directed their attention toward catching the big fish in an attempt commonly referred to as “whaling.”
What is whaling?
If attackers want to hone in their target even more than a spear phishing attack, they launch a whaling campaign.
Like spear phishing, this type of attack includes research on the attacker’s part. However, whaling campaigns specifically go after executives and high-level employees.
These targets are easier to gather contact information on, and they typically have access to more internal information because of their status.
For attackers to successfully lure these targets into a whaling campaign, they may pose as another employee in senior management or from an external organization, such as the IRS or high-level courts.
When posing as either source, attackers will customize the email to the target. They’ll also rely on a sense of urgency to catch recipients off-guard and disregard the awareness they may have about phishing campaigns.
How should you respond to a phishing attack?
If an email you think may fall into one of these three categories makes its way into your or your users’ inboxes, your company should have a policy in place to guide employees in their response.
While the process can be modified to fit your company’s needs, there are a few basic principles we recommend:
- Don’t click on anything.
If you open an email and it looks like it might be a scam, don’t click on anything.
If you’re overly suspicious and the email ends up not being malicious, an abundance of caution didn’t cost you anything. However, if you decide to go ahead and click on a link that you think probably isn’t suspicious, then you could expose your whole network to malware.
You’d rather be safe than sorry.
- Contact your IT department.
They’ll be able to help verify if the suspicious email is indeed malicious, and alert other employees of the existing threat.
Don’t delete the email until your IT department tells you to because they may want you to take a screengrab or forward it to them.
- Block the sender.
Hackers use a number of spoofed email addresses to sneak their way into inboxes, so they won’t necessarily attack using the same address.
However, if they do, you won’t find it in your inbox.
- Delete the email
Once your IT department has given you the all clear, delete the email so you don’t accidentally fall for the phishing lure in the future.
How can you avoid phishing, spear phishing, and whaling?
Attackers are using different forms of phishing campaigns to lure users into entering confidential information or download malicious files. Preventing your employees from falling for these emails is imperative to the security of your company.
One option many businesses turn to for phishing prevention is an anti-spam software. This is a great way to filter spam and malicious emails out of your inbox, but no anti-spam program can guarantee 100% success.
At the end of the day, your users will always be the last line of defense. This is why it’s important to inform your users on how to identify the various types of phishing emails as well.
Phishing scams are just one of ways, attackers can make their way into your network, though. For other ways to prevent users from unintentionally exploiting your company’s networks check out the following articles: