You will probably be aware of the term phishing: A method used by criminals and hackers to obtain sensitive information from individuals, usually with a view of using that information to gain access to bank accounts, computer networks, or commit identity theft.

Phishing is a growing phenomenon. Online criminals use social engineering techniques to get users to reveal sensitive data. They also convince end users to install malware that can be used to log keystrokes or even allow hackers to take full control of a device.

Phishing is highly effective and allows criminals to make billions of dollars every year. However, the way campaigns are conducted limits the earning potential of criminals. Campaigns are often sent via spam email and that is a numbers game.

Spam emails get caught up in email filters, are marked as junk, or are quarantined. Emails must therefore be sent out in the millions in order for a criminal to get just a few responses. Oftentimes, online criminals do not actually have enough real email addresses and have to resort to guessing, hoping that catch-all accounts exist and some will be delivered.

Whaling – A new phishing technique that is proving to be highly effective

Rather than sending emails by the million, criminals have worked out that it is possible to get the same number of responses by sending just a handful of emails. In order to successfully obtain the bank account login credentials of one individual, it may be necessary to send out a million emails using standard phishing techniques. It is also possible to do it with one: The email just needs to be very convincing.

The term whaling has been coined to describe this new tactic. Rather than using a very big net to catch a few small fry, a spear gun can be used to target a very big target. Whalers pursue one target and the payoff can be considerable. A whale is more valuable than a handful of sprats.

Anti-Phishing Demo
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo

Whaling is not random and the technique requires skill and effort. A target must be identified and researched. A campaign must then be devised that will convince that individual, or a small group of individuals, to respond. Emails must be crafted that are realistic. Since the targets are usually senior executives in a company, they are likely to be extremely cautious about revealing information, opening files, or visiting websites.

Whaling therefore requires detailed information to be gained about the target. The more information that can be gained about the target’s likes and dislikes, their role within the company, contact information and family life, the easier it is to craft an email that they will respond to. This takes a lot of time and effort but the prize is worth it. Senior executives have access to highly valuable data.

Due to the effectiveness of whaling campaigns, many criminals are switching to this mode of attack. Many of those attacks are conducted not on email, but via social media channels.

Has improved security protections forced phishers to move from email to social media networks?

Opinion is divided within the IT security industry about the move from spam email to social media networks as the preferred vector for delivering phishing campaigns. Almost a third of respondents in a recent SpamTitan survey did not believe that improved Anti-spam technologies have triggered the move to social media networks.

The survey also showed that 37% of respondents believe that phishing is a growing phenomenon, and that additional protections are required to keep networks secure.

Many believe that the switch to social media networks is simply due to the number of individuals that have signed up for accounts, and phishing is therefore a natural response to the rise in popularity of online communities that encourage the sharing of personal information.

If personal information is uploaded by individuals onto social media networks, it is possible to build an accurate picture of an individual very easily indeed. Ask Facebook. The company doesn’t need to charge users as the information it gathers is incredibly valuable to advertisers. They can create highly targeted advertising campaigns with the data. Unfortunately, phishers can use that information too.

Corporations as well as individuals must therefore take great care when using social media sites. It is all too easy to reveal sensitive information and become a victim of a phishing or whaling attack. Fortunately, SpamTitan Technologies can offer protection from phishers, whalers, and other online scammers. Email phishing campaigns can be blocked, while the company’s web filtering solutions can prevent phishing websites from being visited.