The NCSC - in collaboration with CPNI - has recently published guidance on avoiding phishing attacks. In the intro we explain what the NCSC means by 'phishing' (basically, all the nasties that arrive in your email inbox). This isn't always how 'phishing' is defined in textbooks, but since your defences should look very similar for all those nasties, it makes a lot of sense to lump them together under the umbrella term 'phishing'.
Of course, within all these nasties there are more targeted forms of phishing, such as spear phishing and whaling. Since we didn't really focus on these in the guidance, this blog takes a quick look at them now, and explains why adopting layered defences is the best way to protect your organisation from the damage they can cause.
What is the difference?
Traditionally, phishing describes the general noise of malicious emails that are spewed out across the internet in vast quantities. The phisher is hoping that eventually one will arrive in the inbox of someone who happens to use that bank, or has just made a purchase at that online retailer, or is just having a bad day, and they click. The phisher gets a new password to add to their collection, or maybe a new machine to add to their botnet.
Spear phishing is where the phisher is deliberately attacking a specific person and has crafted an email containing personal information to make them click. Whaling (ok, not actually a fish) is a specific type of spear phishing that targets a big phish, often a board member or an employee with access to some particularly tempting assets.*
Where exactly is the cut-off point between phishing and spear phishing? Is targeting people from the UK with HMRC tax return emails spear phishing? What about mentioning the company name or a local landmark in a company-wide campaign? What about a mass mail out with stolen account numbers? These are all forms of targeting. It's easy to get bogged down in the terminology as the definitions aren't really clear cut; but the important point is that our phishing guidance caters for all these scenarios....
Our guidance isn't fussy
All the different flavours of malicious emails happen roughly the same way. They are written, sent, received, clicked, and finally reach their goal. The 4 layers of defence that are described in our guidance are designed to stop this at every available opportunity, in order to prevent anything bad happening to your organisation. Since phishing, spear phishing and whaling attacks all have to pass through all the same steps, you need all the same defences. The technical defences don't care how targeted the email is, they will still stop any attacks that send up red flags.
The approach to training that we recommend is also agnostic to the type of email. Often training recommends a user looks out for signs of mass mailing, such as poor spelling or impersonal introductions ("Dear Valued Customer"). But these aren't always useful for spotting mass phishing, and someone taking the time to write a targeted email is probably going to use a spellcheck. Rather than have two sets of training materials, CPNI recommend that users look for the influence techniques instead. These techniques (such as urgency, authority etc.) have been used by criminals for centuries and apply to phishing emails (and other scams) of all types.
Is there anything special I can do for spear phishing?
OK, so not everything in the guidance is completely blind to the type of email. Some of the defences in the guidance are deliberately designed to make highly targeted attacks less frequent and less successful. These include considering what sort of information your organisation shares online, and if it could be used to make a phish more targeted. We also recommend checking who has access to valuable information and privileges, and considering if they actually need that access to get their job done. Reducing the information you share with the public, and the number of users with access to your data, makes a targeted attack more difficult.
One of the main differences between a targeted attack and mass generic campaigns, is that a targeted attack may have a specific goal within your organisation. This could be about transferring money, or getting access to an administrator account. In the guidance, we've suggested the types of things you might want to protect, but you will have a much better idea of what is important in your organisation. Try to figure out what might be done to attack these important things, who will be targeted, and what processes would have to be mimicked or bypassed in order for the attack to succeed. For example, someone after money might target your finance team by mimicking your normal invoice process.
When you have an idea of what you need to protect, you can revisit your defences and see what protections can be put into place. This might involve improving the processes that handle these assets (such as adding safeguards around the payment of invoices), and providing better support for the members of staff who may be targeted for those assets. For example, you could tailor your messaging to a particular department so it's more relevant, and consider prioritising responding to their queries about phishing. Whatever these actions involve, ensure that you have multiple layers of defence between the attacker and their goal, so you're not leaving your valuables exposed.
Sociotechnical Security Researcher
*We have also seen whaling used in the wild to describe spear phishing, where the phisher is pretending to be the big phish.