Phishing & Whaling Attacks: How to protect yourself against it

At the beginning of 2016, it happened to the large social network company Snapchat: a successful attack was launched on the company. An employee in the human resources department received an e-mail from the CEO asking for salary information from employees. Since it was very reluctant to leave a message from the boss unanswered, the data was sent to him. A few minutes later they were published on a website called SnapchatDB. It became clear that the email was not from the actual CEO Evan Spiegel and Snapchat was the victim of a whaling attack. The company then turned on the FBI and offered all affected employees free two-year identity theft insurance (full article here).

What is Phishing?

Phishing is a targeted manipulation of users, based on social engineering. Cyber criminals want to obtain confidential information by impersonating a serious person or institution. These attacks are usually made via email on many users in the hope that a few will fall for them. A classic example are e-mails from the technical support, but also from eBay, PayPal and Amazon. Problems with the user account are often mentioned and the recipient is asked to click on a link. On this website, the data typed in is then sent directly to the fraudster.

What is Spear-Phishing?

Another form of phishing is spear phishing. If you hunt for fish with a spear, you need a certain target. In spear phishing, the attacker wants sensitive information from exactly one employee, for example financial data. With this method, the attacks are planned more elaborately, which increases the chance that the victim will respond to the message. Spear phishing is often used when the attacker has been commissioned by a government.

What is Whaling?

Whaling is like Spear-Phishing, only here specifically employees of a high position become the target. They have access to a lot of confidential data, which is interesting for the attackers. To gain access to this data, the attackers create individually tailored e-mails or websites. Information about the victim is collected via social media such as LinkedIn or Facebook. Manipulated e-mail addresses with a similar ending to that of the company are also often used and the signature of the actual sender is imitated.

Wieland Alge, former security specialist at Barracuda Networks, believes that the human resources department is a particularly simple target for such attacks. Many of the emails they receive have attachments and employees are encouraged or even required to open them.

How can you protect yourself?

Jareth from the Emisoft blog has the following tips to avoid falling for such attacks:

• Train employees: Employees should be informed and trained about phishing and whaling. This includes checking the sender's e-mail address or the link URL for suspicious messages. Careful handling of attachments is also advisable.
• Information from social media: Employees should also be careful with social networks. Too many personal details can be conducive to an attack.
• Processes: If employees have received an e-mail with a request for a bank transfer or sensitive data, processes or procedures can help. These can require the sender of the email to confirm his or her instruction by making a personal phone call.