A recent trend in email phishing attacks is something called whaling. Whaling is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, manager and supervisors. “In many whaling phishing attacks, the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to the attacker” (More info) In our case we are getting many email attacks where someone is trying trick people into buying gift cards and sending the card numbers to them.
The basic way it works is the attacker creates an email from a free email service such as Gmail, Yahoo, and a couple of others. They usually choose names of people that are department leaders and have staff. They then send emails to members of that department hoping to trick an employee in to thinking it is from their manager. The initial email is extremely brief such as “Are you available?” and may have a subject hinting at urgency. Some have also have created a signature text that is quite convincing. Their hope is to trick the potential victim into replying.
Once they hook someone then their 2nd message says they that they are in a meeting with no idea when it will end (they commonly say they do not know when the meeting will “round up”). They go on to say that they cannot use their phone and can only communicate through email and that they need something very important done right away. Their next email says what they want… lately they have been asking for some amount in Amazon Gift cards (I have seen amounts of $100 to $500) and they reiterate that they will reimburse and that they need it right away and are still in the meeting. They may say in this message or a following one that once the victim has the cards they are to scratch off and send the numbers on the back of the card.
This gift card spoofing is the latest twist in Whaling attacks that we have received, many of you may remember that we have been seeing similar spoofed emails for over a year ago with the attackers using a variation of Dr. Paul’s name as part of the sender’s name and email address from Gmail or Yahoo. These were mostly trying to pass off some document for all employees to read and then sign into a web page to indicate they have read and agree. These were a phishing attack that were designed to capture the victim’s login name, password and possibly other personal information from that non capital.edu website.
As a tool to help you better identify these we have added and External Sender Disclaimer to Email received externally.
This new disclaimer message will be a constant reminder to use caution when opening, sharing your personal information or responding to emails from unknown or external senders. Exclusions for emails from official university systems are being identified and created so that the disclaimer will not appear in the body of the messages.
Past helpful posts
How to Spot a Phish
https://inside.capital.edu/ITStatus/index.php/2018/10/11/how-to-spot-a-phish-101118/
Top 10 List for Cyber Security Awareness Month (October 2018)
https://inside.capital.edu/itstatus/index.php/2018/10/10/top-10-list-for-cyber-security-awareness-month-october-2018/
Spam Definitions
| SPAM | Spam is unsolicited or junk email that clogs up your email inbox trying to get you to buy something. The best way to deal with spam is not to open it or reply to it. |
| Spoofing | Spoofing is a fraudulent or malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver. Email spoofing is the most popular tactic used by scammers because users are more likely to open an email when they think it has been sent by a legitimate or familiar source. The goal of spoofing is to trick victims into sharing sensitive information such as passwords, usernames, and credit card details for malicious reasons.
If you suspect spoofing, check the email’s header to see if the email address generating the email is legitimate. Visit phishing.org for more information on phishing attacks. |
| Phishing | Phishing is an unsolicited email message trying to get you to give up something. Typically they are trying to get your username and password. Sometimes they try and get you to click on a link or run an attachment that will infect your computer with a virus. To learn more about phishing attacks and tactics, visit phishing.org for more information. |
| Spear Phishing | Spear phishing email customized for a particular organization or person. It will use the same graphics and language as an official email. The goal is the same as a phishing attack.
Many of you may remember the spoofed emails from scammers who were using their own Gmail and Yahoo accounts to send out email messages to the campus using a variation of Dr. Paul’s name as part of the sender’s name and email. The goal was to try to pass off a document to all employees asking them to read it by signing into a “non Capital.edu” website which would then capture the victim’s login name, password and possibly other personal information. Always check the sender’s information closely for validation and legitimacy. |
| Whaling | A recent escalating trend on campus is the whaling email phishing attack. Whaling is a specific type of phishing attack that targets high-profile employees, such as the CFO, managers and supervisors. The cybercriminal’s goal is to manipulate the victim into authorizing high-value wire transfers to them or trick the victim into buying gift cards and send them the card numbers. |