A spearphishing attack is one of the many ways used to obtain sensitive information or gain access to a computer system. Unlike typical phishing attacks however, spearphishing involves counterfeit messages that appear like they came from a trusted source. Whaling is an offshoot of this growing phishing tactic. However, both are often mistaken to mean the other. In this article, we will take a closer look into the differences between spearphishing and whaling.
Spearphishing attacks, like other social engineering attacks, exploit our most basic human desire to be helpful. It also capitalizes on our need to provide a positive response to people we know. The harsh truth is, an innocent intention to help someone can make or break your enterprise.
Spearphishing Attack Examples
It can be difficult to recognize spearphishing attacks. Here’s how one might happen:
- An attacker knows you use a specific type of software, such as Microsoft 365. So, they send an email that appears to be a notification that you need to update your password.
- The link in the email takes you to a page that looks similar to your 365 login screen, but it is actually a fake URL controlled by the attacker.
- The attacker has just gained access to your 365 account by prompting you to enter your username and current password, allowing them to gather sensitive information or sabotage your company.
This attack would be less effective if sent to someone who does not use Microsoft 365. The specificity is what makes it so sinister. Spearphishing messages mimic the type of emails that employees get on a daily basis, making it appear credible and harder to spot.
Whaling vs Spearphishing Attacks
It isn’t uncommon to hear people use whaling and spearphishing attacks interchangeably. Contrary to this popular belief, whaling is actually a type of spearphishing.
While spearphishing attacks could target almost anyone within the organization, whaling usually targets the ones at the top. This is because “the whale” or the higher-ups usually have deeper access to sensitive information and confidential resources .
There are far too many real-life examples of whaling attacks. But one recent incident involved a hedge fund co-founder who was targeted via Zoom. The said co-founder followed a fake Zoom link, resulting in the infiltration of his organization’s network. The attackers attempted to steal $8.7 million, but only got away with $800,000. It was a hefty mistake done by accident. But the reputational damage eventually forced the hedge fund to close.
Whether it is work-related or marketing outreach, the internet has become integral to businesses. Unfortunately, since the online space is so ubiquitous it provides cyber attackers ample opportunity to infiltrate organizations. The fake Zoom link example above demonstrates just how easy it is to manipulate online sources these days.
Unfortunately, phishing scams don’t just end with whaling and spearphishing. Read more on the other types of phishing in the next section.
Other Types of Phishing Attacks
There are other types of spearphishing attacks that you should be wary of:
A cloning attack makes use of previously sent email with attachments or links. The clone is a near-identical copy of the original, except that the attachments or links have been replaced with malware or a virus. The email is usually spoofed to appear to be sent by the original sender and will claim to be a simple resend. When a user falls victim to the forged email, the attacker sends the same forged email to the victim’s contacts from the victim’s inbox.
Rather than an email, vishing (voice phishing) involves using a phone call to trick victims into handing over sensitive information. In a vishing attack, victims are targeted with social engineering techniques to trick them into providing credentials or financial information. Tactics frequently involve a deadline or time limit to create a sense of urgency.
Smishing, on the other hand, uses text messages to deceive users rather than voice mail. These messages could include a phone number for a targeted user to call, as well as a link to an attacker-controlled website hosting malware or a phishing page.
Fortunately, there are many ways to mitigate the risks of these cyber threats. A critical first step is to secure your organization’s email. Learn what to look for in an email security solution and how to stop attacks before they reach your inbox by contacting us today.
You can also check out this latest report from Gartner® on email security.