What is Phishing, Spear Phishing, and Whaling?

We all hold the idea about online malware, malicious activities, scams, etc. Even a person not from a non-technical background, may have heard all these terms through news and journals available online. But the question is how exactly they attack your online data and how much damage can they manage to make? Online attacks, social engineering, and hacking are all very dangerous, as they can create huge losses to not only the individual but also to the giant industries. To understand the impact, we need to understand the different forms of online attacks such as phishing, spear-phishing, and whaling! Let’s understand these terms in detail.

Phishing

Have you ever got an email, having a suspicious link?

Well, that’s a trap, a lot of people are aware of these cybercrimes. Still, the technicality behind this and their types are merely never understandable.

When someone targets customers through emails, calls, or text messages, in order to lure them for lottery, it is to take out sensitive information from them such as bank details, credit card numbers and passwords. This act is called phishing. This information is then used for theft and unidentified transaction from accounts of the victims, leaving nothing but loss.

The first phishing attack was caused by a teenager who created a site named ‘America Online’. It is always easy to fool people by creating a website and duplicate mail ID with precision errors that are beyond detection. This way people easily fall for the trap and release important information.

This is the most common type of social engineering attack that is prevailing in India is when a person calling for an OTP in order to fix the error in your bank account. In reality, they have initiated a transaction and the registered mobile number gets the OTP to confirm the transaction.

There are some precautions to protect yourself from these scams!

1. Avoiding unnecessary texts related to winning a huge amount of money.
2. Getting a strong password and changing it regularly.
3. Anonymous calls should be reported instantly.
4. Fake caller ID’s should not be entertained.
5. Spam emails should be used with filters.
6. You should always be careful while reading the emails and messages, specifically the spellings.

Spear Phishing

It is generally a more planned and targeted form of phishing, wherein an organization is targeted and the phishing takes place with an action plan. This is a sophisticated way of robbing a big amount worth of data such as staff credentials, financial data, customer data, etc. These are just more lucrative forms of attacks where everything depends on planning and researching done by the criminal. It is a bulk attack and generally strong enough that cannot be resolved quickly. Spear phishing attackers target those who have a lot of information available online. They might get the details from social media sites or with common reconnaissance tools. After having enough information, these targets are approached in a planned way. It is first to win the trust and then to take away critical information or assets. It’s a long term plan for a huge gain. Also, it is generally observed that spear-phishing targets mostly includes government officials in order to release sensitive information to make quick bucks and attackers make way more money by these attacks, it is a one-time risky investment.

Some suggestions to protect yourself from spear phishing:

1. Watch what you post online.
2. Don’t make online friends who are just random people having fake ID’s.
3. Don’t portray a vulnerable image online.
4. Use wisdom over emotions.
5. Professionalism is highly recommended.
6. Trust those who deserve.

Whaling

A type of spear phishing, generally oriented for bigger professionals than low-level employees, like CEO’s or CTO’s of any organizations. These are more planned and sophisticated attacks. Long-term action, precision and well-rehearsed attacks are organized. These attacks do include professionally designed emails and websites, generally targets c-suite employees to remand access to highly sensitive information from multiple departments. For more legitimate illusion, attackers also create illustrations along with spoofed emails, logos and letterheads. The planning and plotting may take months of research and attack may last longer than planned. The attacker sometimes plays by the name of government agencies and also might reveal some information to win over the trust. The attacker generally lives in the shoes of the person whose personality he has to adapt too. Severe cases of the attack can include observing the day-to-day activities of the victim.

Whaling attacks are more difficult to detect than typical phishing attacks because they are so highly personalized and are sent only to selected targets within a company. A very well-known whaling attack was from the Snapchat account, and later the case was given to the FBI.

Protective measures:

1. Organizations should keep highly sensitive profiles under observations.
2. Senior management system should be installed.
3. External emails should be marked differently.
4. Verification process should be strong.
5. Data protection system should be strong.

Conclusion

The cybercrime is getting common with every single passing day, and no one can predict what may come up next. Rising technology always has some pros and cons, all we can do is follow the important precautions, and stay observant. Research a lot, gain knowledge and be aware of new methodologies that the cybercriminals use. Follow up with the news for the malicious links and similar messages.

You may also like to read:

• 4 Examples of Phishing: Have Any of These Fraudulent Emails Landed in Your Corporate Inbox?

• Protection from Phishing – One Click Away from Securing Your Business from Hackers

Author Bio: This article has been written by Rishika Desai, B.Tech Computer Engineering Student at Vishwakarma Institute of Information Technology (VIIT), Pune. She is a good dancer, poet and a writer. Animal love engulfs her heart and content writing comprises her present. You can follow Rishika on Twitter @ich_rish99, and connect with her on LinkedIn.