Spear phishing and whaling: not deep sea adventures, but threats to your personal information!

We're taking a deep dive into cybersecurity topics like spear phishing, whaling phishing, smishing, and vishing.

We all hear a lot about hackers and phishing schemes aimed at finding a way into our networks and stealing our valuable information. One of the terms you hear frequently is “phishing,” which we’ve written about in some of our earlier blogs. Today, we’ll dive a little deeper and identify a few of the specific types of phishing attacks you should be watching out for.

  1. Spear phishing: Not to be confused with “spearfishing,” this is anything but a deep sea or sporting adventure! With this type of phishing, cyber criminals will pretend to be from an institution the recipient knows and trusts, such as a bank or an online retailer like Amazon. The email asks you to click on a link for “shipping confirmation” or “account verification.” It could appear as a message from PayPal reporting “suspicious activity” and asking you to clock on a link to verify your account. Don’t do it! Be wary of messages like these, and in particular ones that suggest a sense of urgency (such as you must respond in 24 hours or your account can be locked).
  2. Whaling phishing: This form of attack targets people with large roles within an organization (hence, the term “whale” for the size of their role). Whaling aims at CFOs or CEOs or their trusted employees. This cyber criminal may ask the recipient to authorize wire transfers of funds to an individual or account. Usually, the criminal will familiarize himself/herself with the target by gathering information in advance from platforms such as LinkedIn, Facebook and Twitter. Sometimes the message will be constructed to a key employee to look like it came from within the organization. A “CEO” may ask an employee to authorize a wire transfer or send over a number of W2 forms. And personal information of this sort in the wrong hands can create many problems; if funds are transferred to a bogus company it’s difficult if not impossible to get them back. So approach with extreme caution! When in doubt as to the legitimacy of a message, check with the person (if it appears to originate from within the company), or the bank. In general, avoid clicking on any of these provided links.
  3. Smishing: Even your cell phone is now subject to attempts by cybercriminals to steal your information. We’re somewhat accustomed to receiving emails that are suspicious, and now these practices have expanded to include phones. The text could appear to come from a bank asking you to verify your information by clicking on a link, or an announcement that you won a prize, or a solicitation for past due payments. Be very careful! Do not click on any links you do not recognize. It’s better to delete these texts.
  4. Vishing: Think of “scams by phone.” You check voicemails and hear that the IRS is about to lodge a lawsuit against you and that you have 24 hours to call the number back to avoid proceedings. Or that there has been a delay in a UPS shipment. Or a company saying that your account will be charged for a purchase you don’t recognize. Be very careful. Never give out your personal information to anyone you don’t recognize.

Although these four forms of phishing have different means by which they contact you, the objective is the same for all – to trick you into linking to a website that will gain access to your information, or to have you provide it outright. Be vigilant! If you have any questions about how to protect your infrastructure, or how to train your employees in this matter, please contact us, info@pulsetechnology.com.