Phishing to Whaling, Signs that You Need to Boost your Cyber Defences

Cybersecurity involves the practices, processes, and technologies created to protect data, programs, devices, and networks from unauthorised access, damage, and attack.

It is essential to protect data stored on computers and other devices, especially information collected by medical, financial, corporate, military, and government organisations. Many of these organisations collect, process, and store large amounts of data to deliver services to their clients.

Most of the data contain sensitive information, in terms of personal data, financial data, and intellectual property, leading to negative consequences if the information lands in the wrong hands. One method that cybercriminals use to obtain data illegally is phishing.

What is a Phishing Attack?

This is a social engineering attack mainly used to obtain credit card numbers and login details illegally. The attacker masquerades as an authorised entity, tricks the victim into opening a text message, instant message or email. After that, you are tricked into clicking on a malicious link that leads to freezing your system through a ransomware attack, installing malware, or publicising sensitive information. Such an attack has devastating results, including identity theft, loss of funds, and unauthorised purchases using your credit card details.

Furthermore, the attack controls governmental or corporate networks as precedence to a more severe attack. An example is an advanced persistent threat (APT) where employees are compromised to obtain privileged access to protected data, distribute malware in their work premises, or bypass security checks.

An organisation that suffers such an attack incurs severe financial losses, declined market share, consumer trust, and reputation. Depending on the severity of the attack, the situation can escalate into a significant security concern where a business may not recover quickly.

These forms of cyber threats are executed in different ways, as illustrated below.

Deception-phishing

This is the most common type of scam where criminals impersonate a genuine company to obtain people’s login credentials and personal data. It is carried out through threatening emails that portray a sense of urgency to make the user do what they’ve been asked to do.

An attack through deception is carried out through the following:

• Genuine links. Fraudsters try to avoid detection by email filters by using genuine links in deceptive emails. This can be done by including the legitimate contact details of an organisation they are trying to spoof.

• Blend benign and malicious code. Criminals who create the landing pages blend benign and malicious code to deceive Exchange Online Protection (EOP). It can be done by duplicating the JavaScript and CSS of a company’s login page to steal users’ account details.

• Shortened and redirected links. To not raise red flags, the attackers use shortened URLs to deceive Secure Email Gateways (SEGs) to redirect users to their preferred landing page. This happens after delivering the email and redirecting it to a legitimate web page after the user has surrendered their credentials.

• Alter brand logos. Email filters detect a fake company logo when incorporated by fraudsters in their attacks or their landing pages. They see imitation by scanning the logo’s HTML attributes. To deceive the detection tools, criminals such as one feature of the logo, such as the colour.

• Minimum email content. Another way to avoid detection is including very little content in the attack emails, for example, using an image in place of text.

Example of a deceptive email

PayPal users have been scammed through an email instructing them to click on a link to rectify an inconsistency with their account. The link takes the user to a website impersonating PayPal’s login page. They use the site to collect login details from the user when they try to verify their accounts and send the data to unauthorised parties.

To prevent this type of attack, you should inspect all URLs to establish if they redirect you to a suspicious or unknown website. It would be best if you also taught your staff members to do the same as the emails also land in their company inboxes. Be on the lookout for spelling errors, grammatical errors, and generic salutations.

PhIshing email example

Spear-phishing

In this kind of attack, the fraudsters use the target’s name, phone number, position, and any other relevant information to make the victim believe that they know the sender. The aim of spear-phishing attacks is similar to deceptive-phishing emails; to make the victim click on a malicious email attachment or URL to give the criminals access to their data. This attack is typical on social media sites where attackers use numerous data sources to create an email.

Spear attacks are made using the following techniques:

Storing damaging documents on cloud services. Digital attackers continue to keep their malicious records on Google Drive, Box, Dropbox, among other cloud services. It is not typical for the IT department to flag the services; therefore, a company’s email filters won’t detect malicious documents.

Compromise Tokens. These criminals are also trying to compromise session tokens or API tokens. By doing this, they steal login details to email accounts and other resources.

Exploring social media. Cybercriminals need information on who works at their targeted company. Social media is one way of investigating an organisation’s structure and determine its next target.

Example of spear-phishing

During a crisis such as the COVID-19 pandemic, most people are on edge. People are looking for information and direction from the government, employers, and other relevant authority. If one receives an email that seems to originate from any of the entities and instructs recipients to perform a task, they will rush to complete the task without scrutinising the email. This will lead to the victim’s device being infected with malware or being locked out of their account.

A common strategy used by scammers during the pandemic is to obtain login details from employees’ OneDrive accounts. The fraudsters are aware that people are working from home, hence share documents through OneDrive, making the platform an ideal place to carry out their attack.

Whaling

Whaling or whale-phishing is a type of spear-phishing targeting high-value persons in a company, such as CEOs. Most of these cyber threats are directed at the company board of directors as they are most vulnerable. They have immense authority within an organisation, but they communicate through personal email addresses when sending or receiving business-related correspondence as they are not full-time employees. Personal email addresses do not have the protection provided by corporate emails.

It can take time to gather information to deceive a high-value target, but the wait has a high payoff in the end. In 2008, corporate CEOs were the target of this type of attack where the emails had attachments perceived to be subpoenas from the FBI. Upon opening the attachments, the scammers downloaded keyloggers onto the executives’ computers, where almost 2,000 executives were affected. The attack had a 10 per cent success rate.

Whaling attacks succeed because executives do not undergo security awareness training when other employees are doing so. To prevent the whaling threat, organisations should make it mandatory for all company personnel to take part in security awareness training continuously. Companies should also employ multi-factor authentication (MFA) measures into their authorisation processes to require users to authorise payments through various ways and not through email alone.

Whaling Phishing example

In Conclusion

Cybercrime and risks continue to climb, and whilst some companies can detect some attacks, they cannot see all, and attacks evolve and morph with each passing day. Humans also remain a prime risk and target, meaning organisations need to conduct security awareness training for both employees and executives to detect these attacks.

If you would like to test who in your organisation may respond to a phishing attack  Click Here >> or discover a great way to train your employees and executives on cybersecurity, contact us for more information.

Download our Infographic on ways to Prevent a Cyber Attack