What comes to your mind when you think of “Phishing”? For most people, we naturally associate it with an email that looks like it is from a bank or organisation, with the sender asking you for your personal information. In this January “Phishing” newsletter, we will be sharing various types of Phishing & how you can identify them.

1. Spear Phishing

What: Instead of a generic email, spear-phishing (very much like spearfishing) is a targeted attempt to get an individual or organisation to divulge sensitive information. From publicly available information such as your social media accounts and company’s websites, cybercriminals create convincing email making you believe it is from your friend or someone in the organisation to get you to share your personal information.

How to detect & what to do?

• Abnormal request: If a sender if requesting for an abnormal request, always verify with the sender through other means.
• Links in emails: If an organisation such as a bank sends you a link, launch a browser and go direct to the bank’s site instead of clicking on the link. You might want to check the destination of the link by hovering your mouse over it & if the URL does not match the URL’s anchor text, it might be malicious.
• Remember – fake URL can be very similar to the legitimate URL. The difference can be only a dash or a dot or an alphabet.
• Do not ever key in your userid and password on a link that you receive through an email, SMS, or messaging app like WhatsApp, Messenger, Teams.

2. Whale Phishing

What: Similar to spear phishing, whale phishing is also “targeted”, but aimed at important and powerful individuals in an organisation. Specifically, cybercriminals impersonate as an individual in senior management by using publicly available information such as corporate website and/or social media to get the CEO or individuals in senior management to share sensitive information or even access to computer systems etc.

How to detect and what to do?

• Abnormal request: If senior leadership member has never made contact before, be wary of the request. Verify with your direct manager about the request.

Sender’s email address: Verify the sender’s email against company’s database. If it cannot be found, do not reply and report it.

     3. Vishing

What: Vishing happens when a cybercriminal calls your phone number and gets you to divulge sensitive information. To compel you to give your sensitive information, the cybercriminal will create a heightened sense of urgency sharing that your bank account has been compromised and urgently requires you to share your personal information to protect your bank account.

How to detect & what to do?

• Frantic sense of urgency: Caller creates a sense of urgency by implying there will be problems if you do not provide your information over the phone. Remain calm and do not give your personal information.
• Abnormal request: The caller may impersonate another employee requesting for information over the phone. Always validate the request by calling the employee through a known number.
• Incoming number looks odd: Do not pick up calls from incoming numbers that looks odd.

While the fishes from “Phishing” can come in different forms, all of them seek to achieve a similar goal – to get YOU to reveal sensitive information or download malicious software to your device. Protect your personal information at all cost.