Social Engineering – Recognizing Phishing / Whaling attempts



What is Phishing?

Phishing is an act of fraudulently contacting multiple individuals or companies, in an attempt to obtain unauthorized access to sensitive / personal information. Phishing is a broad attack, using general information to elicit a response, not specifically targeting any one individual but using generalizations in the attempt claim validity to an information request. The request can seem trivial at the time but any information attained could be a used in the theft of a victims important information.  


Spear Phishing?

Spear Phishing is the targeting of a specific individual in the hopes to attain personal / restricted information. Similar to Phishing, but this time the attacker is more aware of the target, usually already knowing the name, address, email and phone number of the victim prior to the initial contact. A Spear Phishing target can be provided seemingly private information from a trustworthy source before information is requested, eventually leading to data theft.  



Whaling is a term used for corporate level Phishing attempts. Taking the Spear Phishing approach to a higher level, Whaling targets are usually in upper level management or hold access to valuable restricted information. Much of the same means are used in Whaling attempts as Spear Phishing but the attacker will be very familiar with the target prior to making contact and communications will appear highly professional.


How to protect your self

  • Don’t respond to an e-mails that request personal and financial information. Contact the company directly if you are suspicious of an e-mail.
  • Visit Web sites directly through the URL bar, not links in email
  • Keep a regular check on your accounts and don’t recycle passwords.
  • Make sure any web site requesting personal information is secure. https should be at the beginning of the Web site address where you enter personal information. The "s" stands for secure. If you don't see https, it is not a secure, and you should not enter personal information.
  • Help keep your computer secure by using up-to-date security and anti-virus software.
  • Don't enter personal or financial information into pop-up windows since they are not always secure.
  • Keep your Microsoft® Windows® software up to date with automatic Windows Update.
  • Don't open unexpected file attachments received in e-mail. Like fake links, attachments are often used in fraudulent e-mails and can be dangerous. Opening an attachment in a phishing e-mail could cause you to download spyware or a virus.
  • If in doubt always request and check the credentials of the person / company that is contacting you. Again contact the company directly I you have concerns. 

NOTE: Suggestions for avoiding Phishing exploits are provided in an attempt to help ensure sensitive data isn't put at risk unnecessarily. It is not intended to be a comprehensive guide or address all possible exploit variations (ie, some social engineering exploits are performed in SMS text or in-person rather than email). Vigilance in safeguarding your sensitive data applies to all avenues of contact.