Gone Phishing! A Whale of a Tale

This is a story on how the “big one” got away. To start, let’s plunge into Data Security attacks through phishing and the methods utilized.

First, what is phishing?

Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

Types of Phishing Threats:

Common Phishing: This is the most common type of Phishing. It is an attack launched to broadly lure many people so it isn’t detailed or tailored to fool any one person. The success of this type of email scam will hinge on how closely it can resemble whatever it is trying to mimic (a letter from the IRS, a package notification from the post office, etc.).

Vishing: This is the voice counterpart to phishing. Scammers will use “social engineering” to gather personal data on a telephone call. A good example of this would be the calls supposedly from Microsoft about errors that your computer is broadcasting over the Internet. While “fixing” your computer, scammers will install software allowing them remote access to your machine or to log and steal usernames and passwords.

Spear-Phishing: This is the most successful of the various attack types, Spear-Phishing accounts for 91% of successful attacks. This is an attack where a scammer will research an individual target and then personalize the attack to the target. This is typically more believable because the scammer will already have information about the target that they can share to make the attack sound more legitimate. An example would be a scammer pretending to be a bill collector who knew your address, phone number, and last 4 digits of your SSN.

Whaling: This is a Spear-Phishing attack targeting top level employees in a company. Typically the scammer will gather information about the company and then craft an attack to target upper level executives. They do this for two reasons:

  1. They feel the upper management will have access to valuable systems and resources.
  2. Upper management in some companies are not forced to attend mandatory security training.

In 2008 the FBI did a study and found that in one attack 20,000 executives had been targeted with a particular attack and out of that number 2000 had fallen for the scam. All 2000 of those companies were hacked. Again, that is 2000 hacks from a single email campaign.

Colleges have valuable information that these individuals want…….student and parent’s personal identifiable information, not to mention your own PII. At the end of day, when the cyber-attackers go phishing, you want to be the big ones that got away!

NOTE – special thanks to Parham again.

black tail of whale underwater
Photo by Ferdinand Stöhr / Unsplash