In the early days, phishing had begun with mass emailing to reel in potential victims. This attack type generally produced fair results considering it only took a couple victims to make a few seemingly harmless clicks out of hundreds or even thousands of others. As phishing attacks and types have progressed, the majority of the internet has become aware of what phishing is and generally what it means or how it works. Because of this, hackers have crafted new attacks to increase their chances of success, one of these is called spear phishing.
Spear phishing is a carefully crafted attack used for intended targets. This poses a much greater threat than mass email as it is tailored for specific companies or individuals. The target is less likely to recognize this type of attack because of how it is set up, usually with believable and relevant content specific to the target. This attack type has easily become one of the most used and dangerous attack types because it relies on the everlasting vulnerability of social engineering.
Another type of attack that has branched off of spear phishing is called whaling. This form is even more specific and gets its name from being used as an attack vector towards high profile targets. Targeting anyone in senior management including but not limited to the CEO, CFO, COO, and VP’s or directors. A whaling e-mail will typically come off as very professional often times discussing very sensitive details or matters. The information used toward these high ranking targets is usually readily available online. These high demanding job positions are those that require processing more than your average amount of information in such little time. This then leads to overlooking the basic security principles of identifying a phishing attempt. We can see how whaling is considered one of the largest threats to an organizations defenses. As mentioned previously, this goes back on the vulnerability of social engineering.
Things to look for to identify a phishing e-mail include:
- Checking the “To” field. Is it blank or does it contain an address of yours that is not linked to the account or service that is is referring to?
- Checking the “From” field. Is the address and imitation or does it check out as legitimate?
- Grammar. Does the email contain your name? How well is the mail compiled and does it contain spelling and or format errors.
- Is the email in regards to an account that you actually have?
- Does the URL shown in the email match the URL that displays when you hover over the link?
- The email contains attachments from unknown sources.
- If a link is clicked, is the following website secure with https? (do not click suspicious links, they may point you to malware that could infect your system).
Identifying a phishing email is for the most part a pretty easy task. If you do suspect that you have been phished, it is best to report the attempt to your IT department, the company being spoofed, and the Federal Trade Commission.
For further information on how you can protect yourself and your company from phishing attempts. contact Ethical Tech Support today or follow the link below to learn more about our Spam Filtering Service.