Whaling and Spearfishing: Targeting the Top People

Most phishing email goes after mass targets. It’s not particularly well-crafted, but the senders expect that if they hit enough mailboxes, some victims will open the attachment or visit the malicious website. A growing portion, though, targets specific companies or individuals with carefully crafted messages. It’s called spearphishing. When it’s aimed at high-profile individuals or large assets, it’s also called whaling — going after really big fish. (All right, a whale isn’t really a fish.)

Probably the best-known example is a message which was sent to John Podesta, Hillary Clinton’s campaign chairman, on March 19, 2016. The subject line declared “Someone has your password,” and the message body said, “You should change your password immediately.” It provided a link with the words “CHANGE PASSWORD.” However, this link didn’t lead to Podesta’s Gmail account but used the link shortener bit.ly to conceal the actual address. That address was controlled by Fancy Bear, a Russian hacking group.

The politics of that message aren’t relevant here; what’s at issue is that it was plausible enough to fool Podesta and his staff. The HFA help desk said the message was legitimate. He clicked the link twice, and it’s not clear what happened from there. He may have given his login credentials to a lookalike site, or the act of opening the link might have put malware on his computer. All that’s known is that it opened the way for political espionage.

Business email compromise

The problem has grown huge. The Internet Crime Complaint center calls it “Business E-mail Compromise” or BEC. It reports that from January 2015 to December 2016, the losses to BEC increased by 2,370% (that’s two thousand percent).

In its most common form, the fraudulent message targets businesses that regularly perform wire transfer payments. Wire transfers are irreversible, which makes them an attractive medium for fraud. A surge in cryptocurrency-based scams is likely to follow, for the same reason. Links which trigger malware downloads are also common.

The messages use public information about the targeted person to gain plausibility. Abundant information about high-ranking executives is often available through press releases, LinkedIn, Facebook, and other easily found sources. Putting personal specifics into a message makes it look legitimate and puts victims off their guard.

Not all whaling attacks aim at just one person, but it’s never more than a small, carefully selected group. The sender may forge an email address with the company’s domain. Spam filters tend to catch those as forgeries, though, so the message may claim to come from a domain that looks almost exactly like the target domain. A fraudulent message to microsoft.com might claim to be from microeoft.com.

The criminals often register the lookalike domain names, though it’s not a requirement for email forgery. That way they can receive replies and respond to them, adding plausibility to the scam.

Spam filters often don’t catch targeted emails. They don’t fall into familiar patterns that software can detect. Filters may catch forged addresses or links to blacklisted domains, but they don’t always. Link shorteners like bit.ly disguise a link’s destination, and they’re often used for legitimate links.

How not to be tricked

Whaling messages can fool smart people. Even security experts have been fooled by some messages. A plausible link leading to a lookalike of a trusted site can trick people who should know better. We shouldn’t point fingers, but following certain practices will reduce the chances of being tricked.

  • Don’t let claims of urgency stampede you. No matter how much a message says you must act now, think about it. If anything, treat urgent language as a warning sign and think extra hard.
  • When in doubt, confirm by another channel. If you get a request to transfer money that seems to come from a colleague and it feels suspicious, pick up the phone.
  • Don’t take shortcuts because of supposed urgency. If a message has a request for a wire transfer and it seems legitimate, follow all protocols that are in place to authenticate the request. Ask the accounting department if they know of the account.
  • Avoid clicking on links. If you get a message about a problem with your Gmail account, log into Gmail through the browser and check for notifications. Links that ask you to log in are a good reason to be cautious.
  • Don’t put too much trust in the “From” address. There is nothing in the standard email protocols to prevent senders from forging their address. There are protocols, such as SPF and DKIM, which help to weed out forgeries, but they work only if they’ve been set up for the address, and not always then. Check the domain name carefully for lookalikes.
  • Look closely at the address bar. If you do click a link, check if the URL in the address bar matches where you think you should be. The advice used to be that you should look for a URL that starts with “https://”. Unfortunately (or fortunately, from other perspectives), everyone is getting secure HTTPS addresses today, so that’s not a guarantee by itself. You need to check the domain. If the URL starts with “data://” or “file://”, you’re most likely being phished.
  • Use a private email address for internal communication. A public address will pick up spammers and phishers. One that’s only known within the company is a better choice for internal, high-value communications.

Increasing awareness

Businesses need to include executives in their security training programs. This can be difficult; they’re always busy, and they might think it’s demeaning to sit in a class. But they’re the top targets for scams directed at the business, so they need to be aware. Just being aware of the risk puts them in a much safer position than someone who assumes that every personalized email message is legitimate.

Lower-level employees need to learn reasonable caution about messages which appear to come from a top executive. Their natural inclination will be to carry out the instructions, but they need to be aware that the message could be a fake.

A training program that sends test whaling messages can help a lot. Executives who respond to one and then learn that they were tricked will hopefully be more cautious after that.

Anyone can fall for a fraudulent email message some of the time. If they’re careful it will be rare, and a set of good procedures will catch most of their mistakes.

Our support services will help you to keep your systems secure against all kinds of threats. Contact us to learn more about our services.