From Phishing to Whaling: A Deep Dive into Social Engineering Attacks
In this article, we will explore the dark art of social engineering and its various forms, such as phishing, spear-phishing, and whaling. Using real-world examples, this article will demonstrate how cyber criminals manipulate human psychology to gain unauthorized access to sensitive information.
Social engineering is nothing new. Many of us are familiar with the Trojan horse used by the Greeks to deceive the Trojans and gain access to the city of Troy, or the story of Frank Abagnale (pictured by Leonardo DiCaprio in the movie “Catch me if you can”) who impersonated various professionals to commit fraud towards banks and individuals.
In cyberspace, social engineering is a manipulation technique employed by cyber criminals to exploit human vulnerabilities and gain unauthorized access to sensitive information. Just like the Greeks and Frank Abagnale, cyber criminals deceive individuals into revealing confidential data or performing actions that compromise security by leveraging psychological principles. These psychological principles usually involve strong feelings like opportunism, urgency, fear, and curiosity, which triggers the victim to perform an action like opening an attachment or clicking a link in an email.
Phishing: A Gateway to Cyber Crime
Phishing is one of the most used attack methods among cyber criminals to gain unauthorized access to systems and information. When conducting a phishing attack, cyber criminals often pose as legitimate entities through email or text message. The objective is usually the same: to trick individuals into revealing sensitive information, such as login credentials, credit card information, or personal data by having them click a malicious link or open a malicious attachment. The cyber criminals often craft a message that seems to come from a trustworthy source, such as a bank, governmental body, or organization, and depending on their competence, they can spoof the address to make it seem like it is coming from a legitimate sender.
There are numerous examples of successful phishing-attacks, such as the RSA security breach in 2011 where a malicious Excel-document lead to the leakage of sensitive information related to RSA’s SecurID two-factor authentication product, the Target data breach in 2013, that exposed credit card and personal details of around 110 million customers, and the Bangladesh Bank heist in 2016, where cyber criminals where able to obtain and abuse the central bank’s SWIFT access credentials to initiate fraudulent money transfers of over 80 million USD.
Spear-Phishing: Targeting the Big Fish
While phishing uses a broader approach, targeting multiple people at the same time often using generic text, spear phishing is a highly targeted form of cyber-attack that uses the same techniques as phishing. The primary difference between spear phishing and phishing is that spear phishing focuses on a particular target, often using personalized information to gain the victim’s trust. As a result, spear phishing attacks tend to be more sophisticated and have a higher success rate than standard phishing campaigns.
There are many examples of spear-phishing as well — some of these are darker than the regular phishing examples used above:
The Ukrainian power grid attack
The aggression from Russia towards Ukraine is nothing new. In 2015, the Ukrainian power grid was attacked following a spear phishing campaign targeted towards the employees of several Ukrainian power companies, leading to widespread power outages. The attackers sent emails with malicious Microsoft Word macros that, when enabled, provided access to the companies’ systems. The attackers were then able to disrupt power distribution, affecting around 230.000 people for up to six hours. What made the attack even more malicious, was the timing: on the evening of the 23rd of December.
The Democratic National Committee Hack
During the election campaign in 2016, The Democratic National Committee (DNC) was targeted by a spear phishing campaign, which resulted in thousands of sensitive emails being leaked. The attackers posed as Google, sending emails that urged recipients to change their passwords, directing them to a fake login page designed to harvest their credentials. One of the possible consequences of the attack was that Hillary Clinton lost the US presidential election to Donald Trump due to the nature of the content of the emails that were leaked, and the public and political distrust.
Whaling: Hunting the C-Suite
The bigger the catch, the bigger the price: whaling is all about targeting and manipulating the C-level executives (CEO, CFO, CIO) in a company to reveal business sensitive information, but also to authorize fraudulent transactions. While spear phishing is more sophisticated than phishing, whaling is usually even more personalized and sophisticated than a spear phishing attack, using detailed information from the target’s private or professional life to bypass security measures and achieve their objectives.
While whaling attacks also seek to reveal sensitive information, it is usually used as a method to authorize and perform fraudulent transactions, where either the CEO or CFO are being impersonated. Therefore, whaling attacks are often referred to as CEO fraud as well.
Not only can a whaling attack lead to financial loss in terms of money being stolen, it can also severely damage a company’s reputation, as it not only exposes vulnerabilities in their cybersecurity measures, but also raises questions about the competence of high-level executives and their ability to safeguard sensitive information and resources.
Ubiquiti Networks
In 2015, the San Jose-based networking technology company Ubiquiti Networks suffered a whaling attack, where cyber criminals impersonated high-level executives and requested a wire transfer of $46.7 million. In this attack, the cyber criminals deceived the company’s finance department into wiring the funds to their accounts. Although Ubiquiti managed to recover a portion of their money, they still suffered a significant loss.
Crelan Bank
In 2016, the Belgian bank Crelan fell prey to a whaling attack, losing 75.8 million USD. In this attack, the cyber criminals posed as high-ranking bank officials and manipulated an employee into making a fraudulent wire transfer. Following the incident, the bank increased its security measures and worked with authorities to investigate the attack.
Staying afloat: how to defend against social engineering
There are several steps that can, and should, be taken to prevent social engineering attacks. As with most cyber attacks, it is important to consider both People, Processes, and Technology:
People: educating the employees
Training the staff to recognize fraud and scam attempts is one of the most effective counters against social engineering. It is recommended to regularly (at least every six months) update the staff on the latest threats and to encourage a culture of security awareness. The training should also include what the personnel should do if they suspect a social engineering attack.
Processes: ensure adequate response
Cybersecurity need to succeed all the time, cyber criminals only have to succeed once. Therefore, it is important to develop incident response capabilities and internal knowledge on how to handle a successful social engineering attack. These processes should then be implemented in the overarching information security management system.
Technology: implementing technological safeguards
Finally, it is important to implement proper security tools and technologies such as email filtering, intrusion detection systems (IDS), data loss prevention (DLP), and multi-factor authentication (MFA). It is important to tailor the implementation of security technologies to the size, complexity, maturity and compliance needs of the organization.
Final thoughts
Summarized, social engineering attacks come in various forms, each posing unique risks to individuals and organizations. Here’s a recap of the different types of social engineering attacks described in this article and their potential impact:
- Phishing: a broad approach using deceptive emails or text messages to trick recipients into revealing sensitive information, downloading malware, or visiting malicious websites. Phishing attacks can lead to financial loss, identity theft, and unauthorized access to systems.
- Spear phishing: a more targeted form of phishing, where the cyber criminals focuses on specific individuals or organizations, using personalized information to gain the victim’s trust. These attacks can cause significant damage due to their higher success rate and potential access to valuable data or resources.
- Whaling: a highly targeted attack which focuses on high-profile individuals, such as executives or senior management (CEO, CFO, CIO), with the aim of manipulating them into revealing sensitive information or authorizing fraudulent transactions. Whaling attacks can result in considerable financial loss and damage to a company’s reputation.
Social engineering attacks pose serious threats to individuals and organizations alike. It is therefore important to understand the various types and their potential impact. By doing that, organizations can implement appropriate defense strategies that address people, processes, and technology to mitigate the risks associated with social engineering.
Disclaimer: This article contains affiliate marketing links, which means I may earn a commission — at no extra cost to you — if you make a purchase through these links. This helps support my work and enables me to continue providing valuable content. All opinions and recommendations expressed in this article are based on my personal experience and research. Thank you for your support!
