Recapping Email-based Attacks

Email Based Attacks

Phishing | Spear-phishing | Whaling

Definitions

Phishing:

The fraudulent attempt to obtain sensitive information by disguising oneself as a trustworthy entity in an email.

Spear-phishing:

The act of sending emails to specific and well-researched targets while purporting to be a trusted sender.

Whaling:

The fraudulent use of a compromised email account of a CEO or other high-ranking executive.

Differences and objectives

The key difference between these attacks is in the specificity of the sender and receiver of the fraudulent email. Phishing emails are sent to a large group of individuals, generally from an external organization, whereas spear-phishing takes a more personal and targeted approach regarding the receiver of the email. Whaling is even more specific as the identity of the sender and receiver are critically important, where often the sender claims to be from the same organization as the receiver.

The objective of phishing and spear-phishing is either to infect devices with malware or convince victims to hand over information or money. On the other hand, the objective of whaling is mainly to access information or accounts of a senior member of an organization to, for example, transfer funds or sell employee data. All employees of an organization are at risk of being targeted by phishing, spear-phishing, and whaling attacks, and high-ranking officials are especially at risk of being impersonated. To defend against email-based attacks, be very suspicious of unusual, demanding, and urgent requests and always do the following:

• double-check email addresses
• use multi-step verification
• do not click on links and attachments in emails unless you are expecting them
• do not reply to unknown email addresses
• report any suspicious emails

Keep these best practices in mind in your daily routine to ensure your personal and organizational information and accounts remain secure.