What is "phishing" and "whaling"?
"Phishing" is the fraudulent practice of sending emails pretending to be from a reputable company in order to induce recipients to reveal personal information, such as passwords and credit card numbers, online.
"Whaling" is the fraudulent practice of sending emails designed to deceive the recipient into disclosing personal or corporate information, by social engineering, email spoofing and content spoofing. The email appears as if it is from a trusted source and may lure the recipient to a sham website. "Whaling" emails and websites are highly personalised, often incorporating the target's name, job title or other personal information gleaned from a variety of sources.
Can "phishing" and "whaling" be stopped at the source?
Since "phishing" and "whaling" emails are legitimate emails (not malformed), from legitimate sources, it is not possible to block based on these criteria. Also, since it does not trigger any spam profiling filters (no keywords, attachments or suspicious URLs) it is not possible to block as spam. Although sending addresses can be blocked on a case by case basis, it is unlikely that the same sending address would be used again in the future.
How do we deal with "phishing" and "whaling"?
OneNet is working with vendors and clients to monitor and improve email security. However, the sophistication and persistence of "phishing" and "whaling" means that organisations should not solely rely on computer security and algorithms.
Education and awareness is critical. Please refer to the Department of Internal Affairs website for further information on identifying scam emails at http://www.dia.govt.nz/diawebsite.nsf/wpg_URL/Services-Anti-Spam-Watch-out-for-scams
Additionally, we recommend that organisations:
- Identify the roles within the organisation that may be vulnerable to "whaling" or "phishing". For example, finance, management, and IT security.
- Train staff working in these identified roles in awareness of "phishing" and "whaling", and the organisation’s security policies.
- Establish robust internal procedures for handling and identifying security incidents, and responding to external queries requesting information on senior company executives, and so on.
If you have any concerns about a potential "phishing" or "whaling" email, please contact our Service Desk team on 0800 ONENET or firstname.lastname@example.org.