Imagine what the world would be like if email had never been invented. How long would it take for information to travel across the world? These days, communication is instant – whether it’s coming into your inbox, LinkedIn or Facebook messenger, or WhatsApp. And none of that would have been possible without the invention of electronic mail.
And yet, it causes so many problems for businesses. Email was never designed to be as popular as it has become. This means that email communications are inherently insecure. It’s all too easy for an attacker to take advantage of the platform. And they do, in a number of different ways.
There are unwanted or unsolicited spam emails that fill up your mailboxes. There are phishing mails that look much like spam but have far more malicious intent. And now the terms spear phishing and whale phishing are becoming ever more popular. It’s understandable if you’re struggling to keep up with the attacks that are coming from so many different sides!
That’s why we thought we’d break down the differences between each of the threats to your business’ email security, and what you can do about them.
Spam is unsolicited email that typically contains advertisements or links to websites. Phishing is a type of scam in which someone attempts to deceive people into divulging sensitive personal or financial information.
Spear phishing, a more advanced form of phishing is social engineering attack in which a perpetrator masquerading as a trusted individual convinces a victim to click a link in a faked email, text message, or instant chat. As a result, the target may mistakenly expose sensitive information, install harmful programmes (malware) on their network, or perform the initial phase of an advanced persistent threat (APT), to mention a few potential outcomes.
Whaling is a highly focused phishing assault disguised as a legitimate email sent to senior officials. Whaling is a sort of technologically enabled social engineering fraud intended to convince victims to perform a secondary action, such as initiating a wire transfer.
Why Does Solid Systems Want To Help?
Keeping your business safe, helping you to manage risk, and ultimately seeing you making more money (rather than spending it on paying ransom to cyber attackers) is what we’re all about. Our managed IT services revolve around securing your business and helping you to not only manage the threats to your business but avoid them altogether wherever possible.
When you work with Solid Systems as your IT support company, we do more than just offer exceptional and human customer service. We put our world-class security solutions in place for your business, ensure that they are monitored and kept up to date, and even train your teams in the latest email security and phishing prevention techniques. Plus, we provide articles like these to business professionals at no charge – because we truly believe that the benefit you gain from being able to identify and avoid an attack is well worth our effort.
Want to receive articles like this one straight to your inbox? Subscribe today.
Now that you have a better understanding of what it is that we do, and how we can help your company to avoid these threats through our IT managed services, let’s look at what the differences between each of the email threats are.
What Is Spam And How Can I Avoid It?
Spam is a general term for emails that you don’t want and didn’t ask for. These emails are usually not malicious in nature – they just take up inordinate amounts of space in your mailbox, making it difficult for you to see the trees for the leaves so to speak.
Email providers spend a huge amount of time trying to filter spam out of your inbox and into separate junk folders, but this is a time-consuming and extremely difficult task. Huge amounts of spam fill mailboxes around the world every hour of every day. And what one person might think of as spam, another might find see as useful or welcome information. In fact, a lot of invoices, statements, and other financial mails fit the general characteristics of spam, which is why these can often end up in junk folders unintentionally. Which makes it even more difficult for providers to train their filters accurately.
So how can you avoid spam? If you’re getting emails from a legitimate business that you aren’t interested in, hit the unsubscribe button. The POPI Act and GDPR laws mean that once you hit unsubscribe, a business cannot send you more unsolicited emails. Of course, if it is a company that you actually do business with, they will still be able to send emails relating to your account or services, but they cannot market to you.
Still, getting unsolicited emails from companies that you’ve unsubscribed from? Report them to your email provider, and the sender will be blocked, ensuring that their mails don’t reach your inbox again.
Finally, businesses often find email addresses listed online, and it’s one of the primary methods of building up a mailing list. Having a separate address that you specifically use to sign up on social media platforms or other websites can see your primary email address getting significantly less spam.
What Is Phishing And How Can I Avoid It?
Where spam is often made up of innocuous emails that flood your mailbox, phishing mails are malicious in nature. Because phishing mails have become as common as spam, the two terms often get confused, but understanding the difference between them will save your business a good deal of time and money.
A phishing mail is sent with the intention of tricking you into giving an attacker money, information or access. And it can be done in a number of ways. It could be getting you to click on an unsafe link, which downloads malware onto your machine. It could be conning you into transferring money to someone you think you know, or donating to a cause which isn’t real. It could be posing as a trusted site, asking you to confirm your ID number, username or password.
There are a few important features, however, that all phishing mails have in common:
- They want you to take an action. Clicking on a link or replying to a mail, for example.
- This action always has malicious intent behind it. Installing malware to gain access to your device, planting a virus, and ultimately gaining funds, whether it’s directly from you or via holding business information ransom.
- Like spam, phishing emails are spread like wildfire. It doesn’t matter who gets them. The aim is to cast a wide net and hope to catch a few people in it. (Warning: this is not where the fishing analogies and puns are going to end. They get worse from here. I’m sorry.)
So how can you avoid falling victim to phishing mails? First things first – don’t click any links. While spam emails can often be avoided by unsubscribing, even the unsubscribe button in a phishing mail is likely to be malicious. Clicking it will do two things: confirm that your address is actually being used, and potentially install malware that will give the attacker access to your device.
If you think that the link might be legit, then type it into your browser rather than clicking on it. Often the link that you think you’re clicking on is really directing you elsewhere. And if you’re expecting to go to the FNB website (fnb.co.za), for example, be careful not to click on links that would try and take you to FN(dot)B (fn.b.co.za) instead. Often phishing links are carefully crafted to look as correct as possible, with just the smallest adjustment being made, like a dot in the wrong place.
Don’t reply to the mail either – it can be tempting to tell the attacker off, or to try and give them a taste of their own medicine. But all this really does is give them more information about you, which can be used to initiate a further and more targeted attack, either on you or on someone you know. But more about that later.
The best way to deal with a phishing mail is to forward it to your email provider as an attachment, allowing them to block the sender from sending you and their other clients more phishing mails, and to delete the mail itself.
What Is Spear Phishing And How Can I Avoid It?
Phishing is not a particularly sophisticated attack. It requires little more than a list of people’s email addresses and maybe a website. The better built the website is, the more likely a victim is going to spend more time on it. If the attacker is posing as a trusted banking institution or a popular social media site, then having the fake site look identical to the real one makes it highly likely that someone not paying enough attention will try to log into it, giving their username and password to the attacker.
But when it boils down to it, phishing is a sums game. The more people you email, the higher the chance that someone is going to fall for your scam.
Spear phishing isn’t like that. If you think of phishing as casting a wide net (and the people who came up with these names really want you to), then spear phishing is about taking careful aim at a specific target. Spear phishers plan ahead, they have a particular company or even a particular person in mind. They do their research. They look you up online – on social media, on your company’s website. They gather as much information as they can through social engineering, and then they attack.
No one is immune to a social engineering attack. Learn from our experience and avoid Social Engineering Attacks.
The mail is carefully crafted to encourage you, specifically you, to take an action. They’ve put a lot of time and effort into making it sound legit. They’ll pretend to be someone you know – your friend, colleague, or boss. They often won’t ask for something absurd – just a reminder of your phone number or send a suggestion to check out a website that you might find useful. They want to gain your trust. They’re playing the long game.
Spear phishing takes more time, but the reward is often far more worthwhile for attackers. They are able to gain access to specific login details, providing them with more information than they would get if their target was general. The longer that they can trick you into communicating with them, the more likely you are to trust them, and the more information and access they’ll gain.
What makes spear phishing so dangerous, and particularly easy to fall for, is that the emails or messages that you get sound perfectly normal. If you’re not paying attention, you wouldn’t think twice about replying to them or clicking on the links in them. So how can you avoid falling victim to one?
- Get into the habit of checking where mails come from. It might say that it’s from your boss or colleague, but does the email address match, or is it a random Gmail address?
- If you’re unsure, follow up. If the email claims to come from your boss, give them a call. They’ll either confirm that it was them, in which case you can give them the information they need right there and then, or the conversation will go something like this:
- Make sure that you have an anti-virus installed and that it’s always up to date. Apps like Microsoft Defender for Office 365 will detect when a link in an email is suspicious or doesn’t go to the site you think it will. This can not only stop you from clicking on the link without thinking, but even if you do go to the website, believing that it’s legit, it will put a flag up and help you to recognise the small details that differentiate a real site from a phishing scam.
- Use Multi-Factor Authentication for all of your login details. With MFA enabled, even if an attacker does gain access to your credentials, they still won’t be able to access your company’s information.
What Is Whaling And How Can I Avoid It?
So phishing is casting a wide net, spear phishing is aiming for a specific type of target, but where does whale phishing come in? Well, it’s a bit like the attacker is taking on Moby Dick – a great white whale whose capture is the goal and dream of most attackers. These are your CEOs, CFOs, and other important acronyms. Your executives and your directors. Essentially, whale phishing is about an attacker convincing high-up targets, those who have unlimited access to company details and authority to process payments, that they can be trusted.
The method is similar to a spear phishing attack, but significantly more time, effort, and research is usually needed. The messaging has to be perfect. In fact, often the messaging won’t be the attacker’s own. A common method of whale phishing is for attackers to gain access to an existing mailbox – either belonging to someone else in the company (often the result of a spear phishing attack) or to a trusted vendor or supplier. The attacker can then intercept emails that are sent to and from the address and change small details within them.
The banking details on a legitimate invoice, for example. You’re expecting the invoice to come through. It comes from the right address. The amount is accurate. The only difference is that the banking details have changed. It can be easy to shrug off – perhaps the vendor themselves fell victim to an attack and needed to switch their bank. It’s hardly a big deal – just something you’ll ask Benita from accounting to adjust in the system. It’s only when you start getting emails asking why payment is late that you start to click. And by then, it’s too late. The money’s already changed hands, and usually a lot of it at that.
How can you recognise and avoid whaling or whale phishing attacks? Well, the same avoidance methods as spear phishing would apply. But the fact is that upper management is often more pressed for time, and bears a huge amount of responsibility on their shoulders. And I should know! This makes it easier for them to miss small details in emails, and more likely to be taken off guard by an attack.
Can You Avoid Malicious Mails Altogether?
The short answer is no. The methods that attackers use are constantly shifting and changing, even as we find new ways to detect and avoid falling victim to them.
When it comes to malicious emails, the best plan of action is to have a plan of action in place. Preferably long before an attack occurs. Having disaster recovery services can ensure that even if you do fall victim to an attack, your data, resources, and assets will be protected.
Phishing attackers will often try to hold data ransom, threatening to delete it if their terms aren’t met. And many businesses fall victim to this tactic because their operations would grind to a standstill if their data were destroyed. But if you have a disaster recovery plan in place which includes backups of your data being stored on alternate servers, then there is no need to give in to extortion. They can delete or corrupt the files, and you’ll have a plan in place for bringing them back online in a more secure way.
And, once again, this is where working with an IT support and Managed IT Services provider like Solid Systems can be invaluable. We can work with you to construct and implement a disaster recovery plan that protects your business from almost every angle, mitigating the risks that your company faces, and helping you to step into the future with confidence.