The Download: Feature Articles
Phishing, Spear Phishing, and Whaling
By Leila Sharma | Updated September 27, 2023
Don’t Let Them Hijack Your Accounts
Workplace and personal email have become the most common attack surfaces, for opportunistic and targeted phishing scams. The impacts of phishing are many and may include identity theft, intellectual property theft, reputational damage, business shutdowns, monetary loss, loss of trust, or the installation of malware that compromises devices and data, such as ransomware or spyware. According to the 2023 Verizon Data Breach Investigation Report (DBIR), the average cost of a data breach in organizations with 10 - 20,000 employees is 5.56 million dollars, and phishing was named one of the two most common causes of the breaches (the other was compromised credentials),
Phishing scams use social engineering to trick victims into taking actions that are not in their best interest. There are different types of phishing, and phishing may be categorized using terms such as mass-distributed phishing, spear phishing or whaling. The different categories refer to the distinguishing features and varying methods employed by scammers, but they all have similar goals and are broadly known as phishing attacks.
An added complexity to detecting and avoiding phishing is Artificial Intelligence (AI), which allows scammers to easily create more credible scams and construct phishing messages in different languages, and with fewer errors. These messages often sound and look like they come from known and trusted sources. Malicious messages and websites may be a mixture of social engineering and AI, which may be obvious (voiceless, predictable, detached), or more difficult to detect. The use of AI stresses the importance of legitimacy verification means, other than the internet.
This article explores the commonalities and differences of the different types of phishing attacks while also providing tips and resource recommendations. Please be reminded that there are low risks associated with opening email messages; however, actions that may prove problematic happen after opening malicious messages, such as opening attachments, enabling macros, scanning QR codes, clicking embedded links, downloading, or replying to the sender.
Mass-distributed phishing messages are opportunistic attacks that are often delivered via compromised email accounts or mail servers. Although phishing most commonly occurs over email, it may also occur via SMS text messages, downloads, web pop-ups, malicious websites, phone calls, and social media. The goals of phishing messages are to:
- Trick you into revealing sensitive or confidential information An example is an embedded link in a message that takes you to a spoofed login prompt from which an attacker can steal your login credentials or a login prompt that directs you to a malicious website
- Install malware (e.g., spyware or ransomware). This may occur when attachments are opened, social media updates are clicked, macros are enabled, QR codes are scanned, embedded links are clicked or software or documents are downloaded
Spear phishing attacks are targeted or “customized” phishing attacks. They tend to target someone they’ve identified with something that they know or suspect to be of relevance or interest. The target may be you, your employer, someone that you know, or a group of people. Spear phishers use the internet—most commonly social media and public websites—to study and harvest information on their target. These messages may address you personally, use a familiar greeting, or appear to come from a colleague, acquaintance, friend, or a higher-up in your organization.
Whaling is a type of phishing attack that may also be referred to as “Business Email Compromise” (BEC), or CEO fraud. Whales are high-value targets whose credentials or access to resources have the ability to compromise an organization. Whaling often involves messages that seemingly come from a VIP. These messages target employees and are requests which create a sense of urgency. These threats may involve:
- An attacker posing as a VIP and requesting a wire transfer, restricted employee data, or sensitive company data.
An attacker using a compromised VIP email account or a spoofed VIP email address to send messages to employees. When attackers use a spoofed email address, the visible email address may look correct, but when you hover over it, the email address used to send the message may be different. Another tactic employed by scammers is to spoof an email by using an address similar to the sender’s address. In the following whaling message example, acme-healthfoods.com was replaced with acme-healthf00ds.com.
Real-life whaling attempts show the intricate changes perpetrators try to make.
Image courtesy of CSO.
If you receive a message that appears to be from an entity such as your bank or even from someone that you know, and the message does not “sound” right, look familiar, or contains an urgent request, it is recommended that you confirm the legitimacy of the message by using a trusted phone number to contact the sender. Remember, phishers are counting on busy people who review their email quickly and click on embedded links and attachments or scan codes before evaluating a message fully.
Phishers are also counting on people who are eager to take advantage of an offer or fulfill the request of a colleague or VIP and may do so without fully evaluating the communication received. Security technologies, such as antivirus software help, but the best protection against phishing is your own judgment. Therefore, review all communications when you have the time to evaluate them fully, and prior to taking actions such as replying, opening attachments, enabling macros or clicking embedded links. For additional information, please see the notable trends, best practices, reminders, and resources below.
Trends that we’ve noted include:
- An uptick in QR code phishing which can, among other things, lead to the exfiltration of data on your mobile devices when a QR code is scanned. Malicious QR code is almost impossible to detect. Scammers can easily exploit legitimate QR codes displayed in public places by overlaying them with malicious code. Once scanned, the QR code may or may not provide a link to click. Irrespective of whether you click a link, the simple scanning of a malicious QR code can trigger a variety of actions, such as the installation of malware, the adding of a contact, the composing of an email, the opening of a malicious website or the exfiltration of data. For more information on how QR codes can be exploited, see the Download article Don't Scan a Scam.
- Whaling threats manifesting as complex social engineering threats that involve multiple malicious actors in a series of communications. Don’t be fooled by “the noise”.
- An uptick in SMS text message phishing because the shortened links are harder to preview/evaluate in text messages.
- Imposter emails, in which a scammer sends an email from a compromised NYU account or spoofs an NYU community member and requests immediate action, such as providing sensitive information, or the purchase of gift cards.
- Secure your device with antivirus software, which will protect you by screening out known malware. For more information, see NYU's Safe Computing website.
- Perform system updates on your devices as soon as updates become available. Updates address known vulnerabilities (called zero-day vulnerabilities) that attackers will exploit.
- Create long, strong, and unique passwords of 14+ characters for all of your accounts. If your passwords are not all unique, a scammer could potentially do more harm as the password(s) possessed by scammers and all variations will be tried on a variety of sites.
- Never disclose or reuse your passwords.
- With the growing prevalence of malicious sites, and their prominence in your search results, it’s a good idea to bookmark known and trusted URLs, and to visit most sites in this way.
- Limit the information you share on social media and review your privacy options regularly, as options change. Information that you share may be used to target you, your employer, or someone that you know.
- Do not click on links in text messages. They are often shortened and more difficult to preview. Instead, visit sites via your bookmarks or a trusted URL.
- Be wary of QR codes, which if scanned and malicious, may put your personally identifiable information (PII) and data at risk. For more information, see the Download article Don't Scan a Scam.
- Don’t open attachments or click on links unless you’re expecting the message.
- On a desktop or laptop computer, hovering over embedded links will show (on the bottom left of your screen) where that link will actually take you. On iOS devices, pressing and holding on the link (rather than just tapping it) will open a dialog that displays the full URL. If the destination differs from the text in the embedded link or the expected website, the embedded link may be spoofed.
- Previewing the email address of the sender will display the actual email address from which the message originated as well as the email address to which any reply will be directed. Be suspicious of an email address that is different from what is displayed, or is not the usual contact point for an entity or executive.
- When in doubt of the legitimacy of a message, do not reply to an email or click on embedded elements or attachments. Instead, confirm the legitimacy of the message by contacting the sender at a trusted phone number.
- For students, do not be tricked by scammers attempting to lure you with fake job postings. NYU job postings and offers of NYU employment will only come to you via NYU Handshake.
- Please be reminded that NYU IT will never request your login credentials.
- If you believe that your NYU Email account or NYU credentials have been compromised, immediately reset your password. Please see Changing your NetID / NYUHome password for further instructions.
- For information on recognizing common email scam indicators, please see the NYU knowledge base article: Recognizing phishing scams and protecting yourself online.
- For more information on ransomware attacks, please see the Download article: Ransomware Scams: Don’t Let them Lock You Out of Your Own Computer.
- For more information on password best practices, please see the Download article: Under Lock and Passphrase: Protecting and storing your passwords with a password manager.
- NYU’s Safe Computing website
- See the NYU IT Security News Alerts blog for news and resources
- To report phishing, email email@example.com
- To report a security incident, email firstname.lastname@example.org