Keeping Information Security Simple – Phishing, Spear Phishing & Whaling

Letter from the CISO, Vol 1 Issue 12

Washington University Community:

Do you know the differences between phishing, spear-phishing, and whaling?

Let’s start with the difference between phishing and spear phishing. In short, phishing messages are those all-too-familiar messages that try to get you to give away information or install malware. They arrive via email, messaging apps, and even phone calls, and they try to create just enough of a reason for some people to click on the link, open the attachment, or respond. Unfortunately, we are all working hard and fast, and it is all too easy to miss the warning signs of a malicious message. One of the tricks the bad guys use is to be just vague enough that you think you might need to open the attachment or click the link to see what’s going on.

Spear-phishing takes a different, more customized, and focused approach. In a recent attack, the malicious actors tried to collect WUSTLKey login information using a webpage that looked almost exactly like our actual login screens! This type of attack typically involves researching the target (that’s us), making the theme of the message related to education or healthcare, and adding logos and branding to make everything seem normal.

This kind of spear-phishing can range from somewhat basic to highly sophisticated. For example, attackers will use WashU’s websites and social media, such as Facebook and LinkedIn, to develop detailed information about WashU faculty, staff, students, and alumni. Then these attackers will use this information to craft messages that appear to be coming from university leaders, trying to convince us to click on links, open attachments, or maybe just send them some Amazon gift card codes.

Some people are now talking about laser phishing, which is even more carefully focused!

As I said in last August’s column, it helps to “Be Skeptical and a Little Paranoid” now, even more than last summer.

Whaling is phishing for big, high-value targets. The effort and skill that goes into creating realistic and believable attacks against famous and influential people can be very impressive. The use of language can be perfect. The sense of urgency is just intense enough to make us want to act quickly. The request is so seemingly reasonable that only an extra dose of care, skepticism, and paranoia can protect the recipient.

Our website has excellent resources about what to look for at the page linked below:

Social Engineering Red Flags

When in doubt, please simply select the message and click on the “Phish Alert” button with the orange fishhook in Outlook. It looks like this in the Outlook toolbar on my Mac:

Our Information Security team will quickly analyze the message and get back to you as to whether or not it was malicious.

Thank you for reading and being part of the University’s Information Security team!

Good luck, and please be careful out there!

-Chris Shull, CISO