Phishing: Spear, Whaling and Angler aren’t just for fishermen!

Lisa Goth Cyber

Most people when hearing the terms “spear, whaling and angler” assume they are fishing terms. They are, but they’re also “phishing” terms. These are popular scams targeting businesses of all sizes.

A basic phishing attack is broad, targeting a large non-specific audience. This attack employs a “quantity over quality” approach, requiring minimal preparation by the attacker with the expectation of a few victims. When a phishing attack is customized to target an organization or specific individuals, it is referred to as spear phishing. The attacker learns details about their target to tailor their approach. When an attacker decides to spear phish a high-profile target, that is when it becomes whaling.

Whaling is similar to spear phishing, only with bigger fish. Where spear-phishing targets regular everyday people, whaling targets a C-level employee of a corporation using focused messaging preying upon their fears, such as legal action or reputational harm. The goal of this scam is to steal large sums of money, sensitive data, trade secrets, or gaining high-level credentials to company accounts. The attackers use social engineering to obtain personal and company information to elicit trust and conformity. The Verizon Data Breach Investigations Report revealed that 30% of whaling emails get opened by targeted users and 12% of those users click on the malicious attachment or link.

The mechanisms used in phishing include email, texting, and infected websites. Angler phishing is a specific type of phishing that exists on social media. Angler phishing is the practice of pretending to be a customer service account representative to lure victims into handing over personal information. Angler phishing uses social media to connect with disgruntled consumers. A harmless social media post on Facebook or Twitter by an upset customer venting puts an angler phishing attack in motion. A scammer can reach out to a potential victim by launching a bogus corporate social media account using a fake “Customer Support Team” account including the company’s name to further enhance the appearance of legitimacy. The angler phishing communication is designed to sound friendly and genuine and may even contain a company logo. They will provide a link that takes you directly to an agent who is standing by to help you, which instead installs malware onto your computer.

Don’t let your company become a victim to phishing, whaler, and angler scams. The Charles Leach Agency is working with small and medium-sized businesses to customize cybersecurity policies that protect you and your assets. Call 1-888-275-3224 to get started today!