“Phishing,” “spear phishing,” and “whaling” are not misspellings of aquatic sports. These words describe costly, illegal activities that use human engineering to steal, ransom and blackmail for profit, and Perficient’s information technology experts urge everyone to be aware of the distinctions and the dangers.
- Phishing is a fraudulent attempt, primarily made through email, to steal personal information. This information is then used in various ways for extortion and outright theft.
- Spear phishing is the latest twist on phishing but more targeted and specific. The spear phisher thrives on familiarity.
- Whaling occurs when the spear phishing is directed at senior executives and other high-profile targets within businesses. For example, an aerospace parts manufacturer recently lost $55 million when its financial department was tricked into wiring money to false bank accounts in foreign countries through email exchanges.
Don’t take the bait
Phishing email messages, websites, and phone calls are designed to convince recipients to install malicious software or hand over personal information under false pretenses. Phishers also might call and ask listeners to download something off of a website.
Spear phishing emails can be harder to recognize. Spear phishers know the recipient’s name, email address, and at least some information about that person. The salutation on the email will be personalized instead of “Dear Sir” or “Dear Madam,” and the email will reference a mutual friend or a recent online purchase. The message will appear to come from a legitimate, well-known company, and urge immediate action.
Use common sense
If a friend appears to be requesting a password or other private information, call or send a separate email to verify the request’s authenticity. The same goes for banks and businesses. Legitimate businesses will not send emails asking for passwords or account numbers. If the email looks like it might be real, call the bank or business and ask, or visit the institution’s official website. Most banks and some large businesses have an email address for customers to use to forward suspicious emails for verification.
Report any scams
Suspicious emails or phone calls at work should be reported to company authorities or the employer’s information technology department. They will warn colleagues and protect the company from potential fraud and theft.
Clues to potential email phishing scams include:
Suspicious email links – Avoid clicking on links in suspicious emails. Instead, rest the mouse pointer over the link to see if the address is legitimate or matches the link that was typed in the message.
Fake graphics or images – Scam artists use graphics that appear to be from legitimate websites, but clicking on the graphic may open a phony scam site or trigger legitimate-looking pop-up windows. Cyber criminals also use slightly altered versions of well-known or legitimate web addresses.
Fake alerts or threats – Beware of anything that creates a sense of urgency or panic, such as software security updates, virus warnings, and threats that a personal account will be closed or that a package will not be delivered. Resist clicking on these links and verify the allegations through other channels after reporting and deleting the email.
Incorrect spelling and bad grammar – Cyber criminals are lax with spelling and grammar. Professional companies or organizations usually distribute clean, correct emails.
Also, beware of phishing phone calls. Cyber criminals might call with excuses, emergencies, and demands for personal information. They will first try to gain the listener’s trust. Treat all unsolicited phone calls with skepticism. Do not provide any personal information. When in doubt, hang up and report them.
