Phishing, Spear Phishing, and Whaling

By Leila Sharma

Workplace and personal email have become the most common attack surfaces for opportunistic and targeted phishing scams. Phishing scams use social engineering to target end users. There are variations of phishing, which have distinguishing features that may be categorized using terms such as spear phishing or whaling. The different names or categories refer to the varying methods employed by scammers, but they are all ultimately phishing attacks.

This article explores the commonalities and differences of these attacks while also providing best practices and resource recommendations. Please be reminded that there are low risks associated with opening email messages; however, actions that may prove problematic happen after opening malicious messages, such as opening attachments, enabling macros, clicking embedded links, or replying to the sender.

Phishing

Phishing messages are opportunistic attacks that are mass distributed via compromised email accounts or mail servers. Although phishing most commonly occurs over email, it may also occur via text messages, phone calls or social media updates. The goals of phishing messages are to:

  • Trick you into revealing sensitive or confidential information (e.g., username + password or credit card numbers). This commonly occurs through an embedded link in a message that takes you to a spoofed login prompt.
  • Install malware (e.g., a keystroke logger or ransomware). This may occur when attachments are opened, macros are enabled, or embedded links are clicked.

To view an example of a phishing message, visit the NYU IT Security News & Alerts blog.

Spear Phishing

Spear phishing attacks are targeted phishing attacks. The target may be you, your employer, or someone that you know. A spear phishing message may even target a group of people in an organization. Spear phishers use the internet—most commonly social media—to study and harvest information on their targets, so these messages may address you personally, use familiar language, or appear to come from a colleague or friend. As with phishers, the goals of spear phishers are to:

  • Trick you into revealing sensitive or confidential information (e.g., username + password). One way in which this commonly occurs is via an embedded link in a message that takes you to a spoofed login prompt.
  • Install malware (e.g., a keystroke logger or ransomware). This may occur when attachments are opened, macros are enabled, or embedded links are clicked.

To view an example of a spear phishing message with a spoofed/forged email, see the NYU IT Security News & Alerts blog.

Whaling

Whaling is a type of phishing attack that may also be referred to as business email compromise (BEC), or CEO fraud. Whales are high-value targets whose credentials or access to resources have the ability to compromise an organization. Whaling often involves messages which seemingly come from a VIP. These messages target employees and are requests which create a sense of urgency. Unlike phishing and spear phishing, whaling may not involve the installation of malware or stealing user credentials via a malicious link; rather, these threats are likely to be purely social engineering threats and may instead involve:

  • An attacker posing as a VIP and requesting a wire transfer, restricted employee data, or sensitive company data.
  • An attacker using a compromised VIP email account or a spoofed VIP email address to send messages to employees. When attackers use a spoofed email address, the visible email address may look correct, but when you hover over it, the email address used to send the message may be different. Another tactic employed by scammers is to spoof an email by using an address similar to the sender’s address. In the following whaling message example, acme-healthfoods.com was replaced with acme-healthf00ds.com.
An example of a whaling email message

Real-life whaling attempts show the intricate changes perpetrators try to make.
Image courtesy of CSO.

Protecting Yourself from Phishing Threats

If you receive a message that appears to be from an entity such as your bank or even from someone that you know, and the message does not “sound” right or contains an urgent request, confirm the legitimacy of the message by using a trusted phone number to contact the sender. Phishers are counting on the busy people who review their email quickly and click on embedded links and attachments before evaluating a message fully. Phishers are also counting on people who are eager to fulfill the request of a colleague or VIP and do so without fully evaluating the communication received. The best protection against phishing is to review all communications received prior to taking actions such as replying, opening attachments, enabling macros or clicking embedded links. For additional information, please see the best practices, reminders and resources below.

Best Practices

  • Secure your device with antivirus software, which will protect you by screening out known malware. You can find the link to download antivirus software (Symantec Endpoint Protection) on Global Home’s Antivirus and Malware Protection card. On classic NYU Home, click the Ask NYU IT button. A link to download Symantec Endpoint Protection is located in the “Software” section. 
  • Perform system updates on your devices as soon as updates become available. Updates address known vulnerabilities that attackers will exploit.
  • Create long, strong, and unique passwords of 12+ characters for all of your accounts. If your passwords are not all unique, a scammer could potentially do more harm as the password(s) possessed by scammers and all variations will be tried on a variety of sites.
  • Never disclose or reuse your passwords.
  • Limit the information you share on social media. Information that you share may be used to target you, your employer, or someone that you know.
  • Don’t open attachments unless you’re expecting to receive them.
  • On a desktop or laptop computer, hovering over embedded links will show (on the bottom left of your screen) where that link will actually take you. On iOS devices, pressing and holding on the link (rather than just tapping it) will open a dialog that displays the full URL. If the destination differs from the text in the embedded link or the expected website, the embedded link may be spoofed.
  • Similarly, previewing the email address of the sender will display the actual email address from which the message originated as well as the email address to which any reply will be directed. Be suspicious of an email address that is different from what is displayed, or is not the usual contact point for an entity or executive.
  • When in doubt of the legitimacy of a message, do not reply to an email or click on embedded elements or attachments. Instead, confirm the legitimacy of the message by contacting the sender at a trusted phone number.

Reminders

  • Please be reminded that NYU IT will never request your login credentials.
  • Phishing messages (including spear phishing and whaling) may be reported to phishing@nyu.edu.
  • If you believe that your NYU Email account or NYU credentials have been compromised, immediately reset your password. Please see Changing your NetID / NYUHome password for further instructions.
  • For NYU employees, please confirm your Direct Deposit information in PeopleSync (Workday), which you can access from the Work area of NYU Home or Global Home.

Resources

For additional information, please see: