While the content of phishing and spear-phishing emails can vary, cyber criminals often employ similar strategies and tactics. Using these methods, phishers have proven repeatedly that they can affect users regardless of their position in companies, presumed level of technical expertise or employment field.
The effectiveness of a phishing attack is limited only by the sender’s imagination. Again, the content of these attacks may differ depending on the scope of the scam, but most use a combination of the following strategies.
Impersonation
A common tactic for spear phishers is to impersonate someone the victim knows, like a co-worker, friend or family member. Attackers may pretend to be a high-level executive asking an employee for sensitive information and credentials. Attackers may also impersonate loved ones and ask an individual to wire money following an alleged emergency.
When it comes to spear-phishing emails, you can’t assume that personalized messages indicate a legitimate email. In fact, in finely crafted spear-phishing scams, the attacker will have done their research and may include specific names, dates and details the user is familiar with and likely to respond to.
Impersonation is part of a larger strategy cyber criminals use called social engineering. Social engineering is the art of accessing information, physical places, systems, data, property or money by using psychological methods, rather than technical methods or brute force. These attacks can occur in a number of different forms, including a well-crafted spear-phishing campaign, a plausible-sounding phone call from a criminal posing as a vendor or even an on-site visit from a “fire inspector” who demands access to a company’s server room.
Fake President Fraud
One subset of impersonation and social engineering is commonly referred to as fake president fraud. The fake president fraud is a type of scam in which a criminal posing as a company executive convinces an employee to voluntarily transfer a large sum of money directly to a criminal’s account. The fake president fraud may vary in some of its details, but it always contains four major elements:
- Someone posing as a high-level executive in the company will reach out to the target employee.
- The sender will ask the employee to wire a large sum of money to a foreign bank account.
- If the employee questions the request, the send will deploy psychological pressure to comply.
- The employee contacts the bank to complete the transfer.
Whaling
Whaling is another example of an impersonation scheme. However, in whaling attacks, cyber criminals specifically target high-profile business executives. These emails are sent to a single person or small group of targets, which differs from the mass distribution techniques used in standard phishing attacks.
In these scams, the fraudulent emails and webpages are designed to appear like a critical business email from someone with legitimate authority, either externally or internally. Whaling falls under the umbrella of spear-phishing attacks, as these emails usually address executives by full name, company and job title.
In whaling attacks, criminals are usually after confidential company information. This could be passwords to sensitive accounts or information on specific processes and products. Whaling messages often employ scare tactics, threatening legal fees, termination and bankruptcy to trick the victim into taking a specific action (e.g., clicking a link, downloading malicious software or completing a fraudulent form). The whaling email or website may come in the form of a false subpoena, a fake message from the police or some sort of critical legal complaint.
For more information on additional types of strategies used by cyber criminals, check out part 2 of this article.
Need help identifying phishing attacks? For an overview of its dangers and characteristics, download our FREE Phishing Attacks: A Cyber Security Guide for Employers & Individuals!
