Phishing, Spear Phishing, Whaling… Oh My!

Phishing is one of the most commonly used attacks against users. By way of email, those with malicious intent will contact unsuspecting persons, asking them to click a link or download a file. Generally, the end goal is to infect the user’s computer with malware or get them to submit important personal information.

“Spear phishing” is a term used to describe a phishing attack that is directed towards a specific individual usually for the purpose of identity theft or other compromise.

“Whaling” describes a phishing attack specifically targeted at high-profile end users such as C-level corporate executives, politicians and celebrities. The purpose could be to gain information useful in blackmail, insider trading, or the simple stealing of account credentials.

Understand that “spam” and “junk” filters do not catch all malicious email. Second, know what signs to look for in a phishing email. The vast majority of phishing attempts are fairly easy to recognize and avoid. Here are a few aspects of phishing emails that can help you recognize their true nature:

• Look at the “from” address. Be sure you recognize it. Then take a second look at the domain name (that’s the name after the “@” symbol). Make sure it’s spelled correctly. At the office, an internal email from your coworker would display only his or her name. If it also shows the full email address, it came from the outside.
• Look for a “reply” address that matches the “from” address.
• Check that the message is well composed with the grammar and spelling you would expect from the sender, whether it’s your boss, your brother, or your bank.
• If there is a link in the email, does it match the destination? By hovering your mouse over the link (without clicking on it), your email application will show its actual destination. Again, take a second look at the domain. Be sure it is a domain you would expect. Misspelling a domain is a very common tactic (microsft.com vs. microsoft.com). At a glance, they look the same, but one will take you to Microsoft, and the other will take you somewhere you don’t want to go.
• Does the email ask you for personal information? Most organizations would never ask for personal information in an email or ask you to “reconfirm” your password and account information.
• Trust your gut! If something doesn’t seem right, it probably isn’t. If you are not sure and are worried there is something urgent that needs your attention, then contact that company/organization as you normally would. Never use the email links or any information from a suspected phishing email (including the phone number!).

Unfortunately email phishing works on unsuspecting people every day. Even emails that seem farfetched (“Send me $100,000 so I can give you my inheritance”) work all the time, but those aren’t the only emails that get sent. There are often crafty and well-constructed emails that require a close look to notice they are malicious. So take that second look and check before you click, download, or enter your information.