For threat actors, phishing embodies the holy trinity of goals: easy, effective and profitable. It’s no wonder that the 2022 X-Force Threat Intelligence Index reports that phishing was the top method used by attackers to breach an organization. Of all the attacks that X-Force remediated in 2021, attackers used phishing in 41% of them.
Because phishing is so successful, it has taken on a life of its own with numerous variants. Take a look at three trending types and how to prevent them.
What is spear phishing?
Spear phishing attacks are more targeted than general phishing. They specifically aim to reel in higher-value companies and victims. The fishing analogy here would be spending more time going after bigger fish. For an attacker, spear phishing is often more profitable than the ‘spray and pray’ method of sending a general phishing attack to thousands of companies.
One of the main reasons why spear phishing is so successful is because adversaries will spend much more time researching their victims. The more they know about their specific targets, the better they can be at tailoring their message. Therefore, the chance of tricking the victim increases. For example, an attacker may spend time on the company’s social media accounts. Perhaps the company hosted a particular webinar, and the attacker could reference information about the topic in their phishing email.
It’s important to note that today, most spear phishing attacks can be launched quickly and easily. Typically, they take only a few clicks of the mouse. With pre-made phishing kits for sale on the dark web, the barrier to entry for adversaries is getting lower each year.
What is whaling in cybersecurity?
Whaling is very similar to a spear phishing attack but targets the C-suite and top executives. While spear phishing may target lower-level employees of a high-value organization, whaling focuses on high-value employees. After all, if an attacker can gain account credentials from the CEO or chief financial officer, their bounty will be larger than the username and password information of an employee further down the org chart.
Like spear phishing, whaling also requires attackers to research their victims, perhaps even more so. Typically, whaling attacks begin with social engineering techniques via phone calls or emails.
Armed with that research, the attacker will craft their phishing message to lure the victim into believing the email is honest. One common form of whaling to look out for is the Business Email Compromise (BEC), which aims to fool the victim into thinking it comes from a C-suite executive’s email account. Attackers often edit the account name and address to look similar enough to fool users.
For example, a BEC scam in 2020 was successful when attackers changed one letter of the company CEO’s email address. It was enough to fool the victim into transferring one million into the fraudster’s account to “address COVID precautions”.
What is barrel phishing?
Barrel phishing, also known as double-barrel phishing, aims to fool victims with two separate emails. The first email is typically safe; it does not contain malware or a phony link. Attackers use it as the bait to establish trust. Once some sort of trust has been established, the attacker sends another email as a follow-up, which will include a malicious attachment or link.
These pressure tactics can lead to users giving their information to attackers, putting their data and company at risk.
For example, the first message will appear innocent, like “Hey there, quick question for you.” The second email could say something like, “Hey again. Sending this file your way, can you please check for errors? Need ASAP.”
The attack succeeds as soon as the victim clicks on the attachment or clicks on a link sending them to a phony website asking for login details.
How to protect your organization from phishing attacks
Approach defending against phishing attacks with a three-pronged strategy, consisting of technology, awareness and vigilance.
When it comes to phishing awareness, the right tech can produce great results. For example, KnowBe4 or Hoxhunt security and phishing awareness programs can put employees to the test with fake target phishing emails. They conduct tests randomly and often adjust the email’s content, context and complexity.
Another way to defend against phishing attacks is multi-factor authentication (MFA). While MFA is not foolproof, requiring phishers to jump through an extra hoop to authenticate could go a long way in preventing an attack. Using spam controls, URL blocking and ensuring personal devices are patched can also be helpful.
Technology aside, champion phishing awareness from a human perspective. Brief but frequent training sessions can go a long way in raising awareness. If training is engaging and short, employees won’t see it as a burden. Training should adapt to match the threat landscape.
But perhaps most importantly, vigilance is required from all employees, especially C-suite executives. It’s only human nature to trust an email or phone call that may seem honest. But if everyone is skeptical of requests by default, the whole group benefits.
Vigilance and culture
If you receive a request that may seem honest, but you are not entirely sure, why not follow up with a phone call or in-person visit? Emailing the requester to confirm won’t help, as replying to an attacker will only signal that they have you on the hook.
If the request contains a link, a good practice would be to type in the website address in the browser by hand to confirm it’s real.
Culture is critical here. Employees should feel completely comfortable reporting suspicious emails and requests. When employees feel empowered by security awareness training, they’re more likely to make the right decisions.
Here’s the big takeaway: C-suite executives need to participate, too. Senior management should be equally active in awareness training. After all, they are the biggest targets for the phishing attacks we’ve discussed.