Taking the Bait

Spearphishing, whaling and vishing

It seems 2020 has been a bumper year for cyber criminals with SMEs through to corporates falling foul to ransomware attacks including Carnival Cruises, Hackney Council, Garmin, Pitney Bowes and Honda.

And it’s not just ransomware attacks, Twitter was hacked and criminals posted tweets from Bill Gates, Barrack Obama and Elon Musk. While the surge in the popularity of Zoom during the first phase of lockdown saw strangers hijacking online meetings.

On the SME stage, there has been a huge increase in spam as well as fraudulent attempts to gain access to company systems, email, financial records and so on.

Cyber security must remain front and centre stage for all businesses. Whilst your people are your biggest asset, your data comes a very close second.

So, whilst we have talked about phishing before, we felt it was worth exploring what to look out for as criminals become increasingly more sophisticated.

What’s spear phishing?

Spear phishing is when an individual is targeted, rather than the more blanket approach sent out in high volume, known just as phishing. Criminals are likely to have already built a small profile – they know the name, place of work, job title, email address and the kind of role somebody holds. When they send an email, it’s worded in a relevant way, using the kind of language you might expect. This means it can also often bypass spam/email filters. It is easy to be taken in by this approach.

This is probably one of the bigger risks while your team are working remotely. Without a colleague to ask for an opinion, and the more relaxed atmosphere of working from home, staff are more susceptible to this kind of attack.

The advice for staff remains the same:

  • Check the email address – is it legitimate
  • Do they know the sender?
  • Don’t click on links or open attachments if they are at all unsure
  • Think twice – refer to the IT team if at all unsure

And what’s whaling?

Whaling takes a very similar form to spear phishing but is very targeted to senior level directors – CEOs, CFOs, MDs and so on. Whilst senior company executives might be more wary, the criminals work on the principle that when it works the rewards are much richer. Being able to mimic a senior director clearly adds weight, after all, who challenges an email from the Chief Exec?

And, yes, this really does happen. Sadly, more than one of our customers have fallen foul of this ploy and lost significant amounts of money after being hoodwinked into making fraudulent payments.

What about smishing and vishing?

Yes, we know, these terms are becoming ever more confusing. Who knew there were so many ways to describe elements of cybercrime?

Both of these terms are elements of phishing but using phones rather than email. Smishing is the act of using text messaging, and there has been quite an increase in this recently.

Vishing is calling you, either by landline or mobile, and attempting to con you that the caller is from a legitimate organisation. The most common “callers” are from your bank, credit card company, HMRC or even the police.

Here’s an example reported to us very recently:

Mobile rings… Recipient answers, and the caller says:

“An Inland Revenue fraud case has been opened in your name; you must press 1 now.”

Thankfully the person who received the call realised it was a scam and hung up.

It is worth reminding your team:

  • HMRC don’t call you out of the blue – they usually send a letter
  • If there was an open fraud case, they would have started the communication by post, and possibly continued via email
  • Calls that come from mobile numbers (which this was) will not be from any reputable business such as your bank, the police or HMRC
  • They should be particularly wary of pre-recorded voices – this is high risk
  • No legitimate business will be asking you to divulge personal details for security checks
  • Never be sucked into transferring money – use invoice references for where to send payments.
  • Whilst this is very much business focused, sadly the senior generation are very often victims of this approach, so do share this with family who may be less tech savvy

And in the interests of completeness, what about angler phishing?

Yes, that really is a thing! This is a relatively new approach by cyber criminals. This works by scanning social media. Crooks look out for people innocently ranting or complaining about poor service. They purport to be the customer service department of a business and then ask for various details to look into the matter. Before you know it, key information has been handed over innocently, and the scam is underway.

Please remind your team:

  • Check URLs and websites – whilst they may look like the legitimate ones, there will be one or two letters wrong, spelling mistakes, images that don’t look quite right.
  • Be mindful of what is shared on social media. Most people have their birthday visible. Then when it gets to a “milestone” criminals have your date of birth.
  • Make sure passwords are not names of pets or children – again many people share this information on social media, making it easy to target them

Ultimately, you cannot remove the risk altogether, but you can certainly be more prepared.

Adding additional security measures and training your staff regularly on security risks are also recommendations we give to our customers. If you would like to talk about that in more detail, please give us a call on 01784 437 123.

Get in touch with us

If you’d like to learn more about how we can support your IT systems, please get in touch …

01784 437 123

The White House, 53 High St, Egham TW20 9EX