Evolution of Phishing: Spear Phishing and Whaling Scams Explained

Due to the high-profile cases of cybercrime in recent years, including the Facebook-Cambridge Analytica scandal back in 2018, the Equifax data breach in 2017, and the Russian interference with the US presidential election in 2016, cybersecurity is now a top priority for businesses, institutions, and individuals alike.

In order to implement effective countermeasures against cyber attacks, one has to have up-to-date knowledge of methods and tactics used to perform such attacks. The aim of this article is to help developers get acquainted with a class of attacks called ‘spear-phishing’ and ‘whaling.’

By learning what phishing is, its different forms, and how it can be prevented, you will have an easier time protecting your digital assets from one of the most common methods of cyber attack on the web.

Recognizing the Bait

In its most basic form, phishing is an attempt by malicious third parties to obtain sensitive information (usernames, passwords, social security numbers, credit card details, etc.) from unsuspecting targets by means of deception.

A Typical Phishing Attack

1. The target receives an email with a request to share some piece of sensitive information, such as a bank account numbers. The email itself is carefully crafted to look like it came from a trusted source, like your bank, for example.

1. The target willingly divulges the information, at which point the attack can be considered a success, or they perform some other action requested by the email, such as following a suspicious link or opening an unknown file.
2. Upon performing the action, the target is either infected with a piece of malicious code such as a virus, or they are taken to a website that extracts their information in the background.

How Phishing Evolved

Phishing attacks used to be carried out on a massive scale, with attackers targeting large numbers of people at the same time with the same kind of email, hoping that someone will take the bait (hence the name). However, once the public became aware of phishing scams, anti-phishing measures became more commonplace. Nevertheless, hackers did not give up. And, therefore, two additional, evolved forms of phishing came to prominence — spear phishing and whaling.

Spear Phishing

Spear phishing refers to phishing attacks that go the extra mile to make spoofed emails look believable and to increase their probability of success. In order to achieve this, attackers will attempt to gather as much information as possible on their targets. Often, specific individuals within organizations have certain security vulnerabilities.

The 2016 cyber attacks on the Democratic National Committee in the US are a well-known example of spear phishing in action. The Russian hacker collective called Cozy Bear used spear phishing to target email accounts linked to Hillary Clinton’s 2016 presidential campaign. But there is another variety of phishing, and those who use it only pray upon big fish.

Whaling

Whaling is another evolved form of spear phishing. It refers to phishing attacks aimed at senior executives and other high-ranking personnel within organizations. Such attacks are defined by having email content that is personalized and specifically tailored to the target in question.

In 2016, one of Mattel’s financial executives became involved in a high-profile whaling case. The executive in question was tricked into transferring $3 million to a fake vendor in China by a plausible-sounding email request. So, what can we do against these types of attacks?

Preventive Measures

Phishing is a form of social engineering, and as such, it relies on the subversion of human actors in order to be successful. As a result, the best strategy for combating phishing and its variants is raising security awareness within your organization. Encourage your team members to watch free security awareness videos, provide them with secure devices, and implement security controls and relevant technical countermeasures across all departments.

Technical Countermeasures

• Browser alerts. Web browsers such as Chrome, Firefox, or Safari have access to lists of known phishing websites, and they will warn users if they inadvertently click on links leading to them.
• Specialized spam filters. Email clients employing these can reduce the number of phishing emails that make to the inbox or provide post-delivery email decontamination.
• Augmented logins. Some websites use advanced forms of user verification that are difficult to replicate by phishing websites, thus reducing the chance that users will get fooled by a spoofed website.

Proceed With Caution

Phishing attacks are a common occurrence on the web, and they are getting increasingly sophisticated with each passing year. However, with the right countermeasures in place, especially ones that address the human factor, it is possible to keep your organization safe and protected.