Phishing, spear phishing, whaling, and smishing are all types of email scams that can result in a business email compromise. These scams can be used to gain access to important information or simply steal money from your business. By being aware of these scams and taking steps to protect yourself, you can help prevent your business from falling victim.
Today, we’ll break down and look at the different common types of phishing attacks you may be faced with.
First, we have the standard phishing. Phishing is a means to collect or harvest sensitive data from a person or company. This will usually be focused on obtaining credentials from the target to use in further attacks. For example, an attacker may want your username and password so they can log in to your company’s network.
They do this by sending an email to a large number of employees at your company. The email may look like it is from the company, or it may look like it is from a trusted source that the employee knows. This can be a co-worker, a vendor, or even a friend. The email will then contain a link to a malicious website and maybe an illegitimate copy of a familiar login page, or prompt you to download malware.
2. Spear Phishing
Now that we’ve covered the standard foundation, we can introduce the variations starting with ‘Spear Phishing’.
Spear phishing is akin to regular phishing instead, as the name implies, it’s highly targeted. Attackers may spend considerable time investigating and performing reconnaissance on your company beforehand and will attempt to compile a list of viable targets within your organization that would be of potential value. This could be IT staff, Financial Analysts, or other employees who could have access to sensitive data.
Spear phishing can also be harder to detect because the attack is highly targeted and personalized. The attacker may also spoof their email address to make it appear legitimate, or even purchase a convincing domain name to not look as suspicious. There is also the potential for attackers to utilize a compromised 3rd party vendor you regularly do business with, thus appearing as a trusted source.
Our third entry, Whaling, expands upon previous entries except it becomes even more specific.
With Whaling, the intent is to target the executives of the organization, the ‘big fish’. These individuals are designated as high value because of their roles in leadership and decision-making within the organization. These types of individuals and their access may be abused in a variety of ways.
As an example, an executive’s account may be used to send an urgent email to employees responsible for financials in the company. With their title and sense of urgency, an employee may be eager to get the task done quickly and not think twice.
Additionally, an executive’s account may also be used to harm the reputation of a company by being used to send spam or conduct further attacks against other organizations,
This is where we mix things up a bit. Smishing differs from the rest, as the others are usually delivered via email. This method is specifically sent via SMS/Text message.
Smishing can be seen as an attractive option for some attackers as mobile phones will usually tend to have fewer security controls in place, if any. But otherwise, the goals are the same as regular phishing: to steal information and/or money.
While it may seem that smishing may not be relevant to business, a large technology company recently fell victim to such an attack, with devasting results.
5. Business Email Compromise
Our final item can be a culmination or a result of the previous items.
A Business Email Compromise takes place after a successful phishing attack has taken place. Once the attackers have gained access to the email system, they may lay in wait and monitor communications between other departments and companies. Once they spot something where they might interject, such as a wire transfer, they begin the impersonation and manipulation.
An example is that the attacker may create a domain name similar to that of the company they’re impersonating.
(Example: google.xyz, gogle.org, g00gle.com)
The attacker will then hijack the email chain and start sending from the lookalike domain and request that payment details be changed to the attacker’s bank account. The payment gets sent, and poof, you’re left wondering why the legitimate vendor/customer didn’t receive funds.
While the ramifications of falling victim to a phishing attack can be severe, there are protections you can put into place to help mitigate the associated risks.
1. The first and most basic, is implementing Multi-Factor Authentication on your logins. This way, if your credentials become compromised, you have another layer of protection to stop attackers from accessing your accounts.
2. The next is implementing a secure email gateway. This will allow for the potential to prevent, detect, and respond to incoming phishing emails.
3. And finally, Awareness Training. Educate yourself and your users on a variety of security topics and thus be better able to detect suspicious activity, should other defenses fail.
Thank you for reading, and we hoped you learned something!