Phishing is a cybercrime tactic aimed at obtaining confidential information such as usernames, passwords and credit card information by means of mass electronic communications that appear to be from a trustworthy source, such as a financial institution.

Spear phishing, a more targeted form of this, is aimed at specific individuals or companies using personal information to increase the probability of a successful attack.

These tactics are far from a new phenomenon, having been successfully used by cyber criminals for more than a decade for financial gain. However, recently there has been a trend among cyber crime syndicates to specifically target single large organisations or high net worth individuals.

Dubbed 'whaling', this form of spear phishing goes after the 'big fish', with highly targeted attacks aimed at producing significant financial gain from a single, more concerted effort.

Organisations need to be aware of the possibility of this type of attack and apply best practice security principles and solutions to avoid falling victim to such a threat.

With more sophisticated methods of attack as well as a burgeoning cyber criminal underworld and black market, whaling has become an increasingly lucrative business. Ultimately it is the result of the natural evolution of phishing, moving toward a more structured method of compromising specific targets for maximum financial gain.

Targets may include prominent and wealthy personalities, senior executives in global enterprises, and commonly financial institutions. While the payoffs are typically higher as a result of the high profile nature of targets, the same tactics used in regular spear phishing attacks apply.

Email vulnerability

One of the most common methods of obtaining information from targets is to make use of emails, seemingly from legitimate entities, seeking specific information. However, this approach has limited effect and is thus most often used in regular, mass-approach phishing scams. Social engineering plays a significant role in spear phishing, and thus in whaling, as personalised, targeted information is most likely to yield greater results.

While all information these days has value and can be sold, the targets of whaling attacks are generally chosen for their ability to deliver high profit results. Financial institutions and other entities within the Payment Card Industry (PCI) are frequently the target of whaling attacks for a simple reason – they house vast amounts of confidential customer information including credit card details. This information is instantly saleable on the dark net and is therefore a highly profitable commodity.

While technology solutions are available to protect organisations and individuals from malware attacks, the success of phishing scams typically hinges on the ability of attackers to obtain personal details and information about their target.

In today's connected world this is often only too easy, as people post more details than they should on social media, and use unsecure channels such as email to send confidential information. The only protection against such threats is education and awareness – the creation of the so-called human firewall – and the implementation of security best practices such as the PCI Data Security Standard (DSS) throughout organisations.

Phishing, spear phishing and even whaling are nothing new, however it has become far easier for people to become targets of such attacks. More and more devices are now permanently connected and opened up to the Internet, and we have become a society that is comfortable with sharing vast amounts information online.

Both of these factors can be used for exploitation, particularly where there are weaknesses in security defence. The growth of cloud computing and the increasing prevalence of the Internet of Things (IoT) will only exacerbate this issue.

Hackers have a well-defined business model, and will therefore go after targets that yield the highest profits for the least amount of effort. Protecting yourself and your organisation is essential, and layers of security as well as enhanced awareness are critical to making the job of cyber criminals more difficult, and making yourself a less attractive target. Technology can assist, but ultimately there is only one defence against social engineering, and that is awareness, education, and the creation of the human firewall.

* By Simeon Tassev, Director of Galix