About the author
Roland Thomas
Associate Director | Corporate Development
Roland is an Associate Director in Thomas Murray’s Corporate Development team. He joined Thomas Murray in 2018 with responsibility for group strategy, partnerships and corporate finance. More recently, Roland’s role has focused on establishing Thomas Murray’s cyber risk business, starting in 2021 with the launch of our Orbit Security platform, and the development of our expert cyber risk consultancy. Roland has a BA in English Language and Literature from Oxford University.
In this guide
What is email security?
What is email spoofing?
Phishing, spear phishing and whaling attacks:
What is phishing?
What are spear phishing and whaling?
How do I mitigate against phishing and BEC attacks?
What is email security?
Put simply, email security is the collective term for the steps your organisation takes to safeguard the confidentiality, integrity, and availability of its email communications – from sending and receiving through to archiving.
Email encryption is a vital part of email security, as it ensures that only the intended recipient can decipher it.
Authentication verifies the sender’s identity and the origin of the email itself. Tools like sender policy framework (SPF), DomainKeys Identified Mail (DKIM), and domain-based message authentication reporting and conformance (DMARC) all help to detect forged or spoofed emails.
Anti-malware and anti-spam measures include robust filters and scanners that detect and block malicious software (malware) and spam emails.
Phishing is a common email-based attack, but there are ways to detect and block phishing attempts, including link analysis, domain reputation checks, and content analysis. These should be regularly reviewed to keep pace with the swift evolution of phishing techniques.
Data loss prevention (DLP) mechanisms help prevent accidental or intentional leakage of sensitive data via email. They identify and classify confidential information, such as credit card or social security numbers, and enforce policies to prevent their disclosure.
Email archiving involves storing and retaining email communications for future reference, regulatory compliance, or legal purposes. Email archives are a rich source of data for threat actors, so their integrity and accessibility must be protected. Unauthorised access can also lead to inadvertent deletions or deliberate tampering.
People are always your best defence, so don’t ignore user awareness and education about things like avoiding suspicious email attachments, not clicking on unknown links, and being vigilant against social engineering tactics.
What is email spoofing?
As you might imagine, threat actors can spoof a legitimate email by manipulating the email headers and other elements to make the message appear as if it originated from a trustworthy source.
Email spoofing takes advantage of weaknesses in the simple mail transfer protocol (SMTP), the standard protocol for email transmission. SMTP does not provide robust mechanisms for verifying the authenticity of the sender's identity, making it easier for threat actors to manipulate email headers and deceive recipients.
By forging the sender’s identity, spammers can try to bypass email filters and increase the chances of their messages reaching their targets’ inboxes.
Spoofed emails can be used by threat actors for different ends.
They are central to malware distribution, and often contain attachments or links that, when clicked or opened, initiate the download and installation of malware on the recipient’s device.
Spoofed emails are also a core component of phishing attacks.
Phishing, spear phishing and whaling attacks
What is phishing?
Phishing is a type of cyberattack where threat actors impersonate a trusted entity or organisation to deceive individuals into disclosing sensitive information, such as login credentials, financial details, or personal data. The attacker typically masquerades as a legitimate entity, such as a bank, an email provider, a social media platform, or a reputable organisation.
The origins of the word are not entirely clear, but it’s likely “phishing” is a combination of “phreak” (an early online term for a hacker) and “fishing”. Perpetrators of telephone fraud in the mid-1990s were called “phone freaks,” later abbreviated to “phreaks.” “Fishing” is more straightforward; threat actors try to attract their targets with deceptive lures. Until fairly recently, threat actors would simply cast out and then reel in whatever they got on the hook.
However, the rapid advances in artificial intelligence and machine learning are changing that. The emergence of business email compromise (BEC) attacks, especially in the form of “spear phishing” and “whaling” attacks, reflect a growing awareness among cyber criminals that going after specific targets using more refined techniques can be more lucrative.
Phishing attacks are commonly carried out via email, but there are variants:
Smishing: The target is contacted through text messages or messaging apps. These are usually automated attacks purporting to be from the recipient’s bank, for example, or from a tax authority threatening legal action over unpaid tax. Sometimes, however, recipients are told they’ve won a fabulous prize, “click here to claim it!”
Vishing: In a typical vishing attack, the target receives a phone call from someone purporting to be from a bank or government agency. The caller will try to extract passwords, social security numbers, bank details and so on. To build credibility, threat actors will often use vishing as a follow-up to an initial smishing approach.
Typosquatting: Typosquatting is the most passive form of phishing. Also known as URL hijacking or domain mimicry, it’s the practice of registering fake websites with names that are almost identical to those of popular, legitimate websites. This form of fraud is almost as old as the internet itself and difficult to combat because it relies wholly on user error, rather than on any form of social engineering that people can be trained to spot.
Common elements in phishing, spear phishing and whaling attacks
A fraudulent email or message that appears legitimate, using techniques like email spoofing to make the communication seem genuine.
Phishing emails are often emotionally manipulative. Threat actors will use anything that will push the recipient to respond in haste, for example an urgent security issue or payment due, or a time-sensitive offer that’s about to lapse.
A phishing message usually contains links or attachments that direct the target to malicious websites or download malware onto their devices. These websites or files are designed to collect sensitive information, such as usernames, passwords, credit card details, or personal data.
Once the target reaches the malicious website, they may be asked to enter their credentials or personal information. This information is captured by the attacker, who can then use it themselves or sell it on the dark web.
In BEC attacks, like spear phishing or whaling, executives are often targeted for impersonation by threat actors who use their names, titles, or other personal details to try and deceive their contacts and colleagues. This can include mimicking the executive’s writing style or using insider knowledge to increase credibility.
What are spear phishing and whaling?
The main difference between ‘basic’ phishing and its more sophisticated versions, spear phishing and whaling, is that spear phishing and whaling require more work on the part of threat actors, and so are more likely to have a specific aim.
Any individual, in any capacity, can be targeted by a phishing attack. But spear phishing and whaling is more likely to involve business email compromise (BEC), and target entire organisations and firms.
Threat actors will often use diverse sources of information, like social media profiles, public records, or data breaches, to make their messages seem legitimate and relevant. And, to make their approach even more convincing, they are likely to spoof an email address or phone number from which the target is likely to trust an incoming message.
Both these steps require research, and while doing this research cyber criminals will discover other details that they can use. For example, they might mention a specific project that the target is involved in, or a recent event they attended.
Spear phishing attacks are often designed to gain general access to an organisation’s sensitive data or networks, so the seniority level and/or role of the targeted employee is not particularly relevant.
By contrast, a whaling attack (also known as whaling phishing or CEO fraud), targets ‘big fish’, such as CEOs, CFOs, or other executives who have significant authority – particularly when it comes to sanctioning transfers of large sums – and access to acutely sensitive information.
Developments in AI making threats harder to detect
Deep fake technology is becoming more accessible, and criminals are using it to make their whaling expeditions even more successful. Now that Microsoft Translator has more than 100 languages in its repertoire, threat actors have realised that even language need not be a barrier when it comes to selecting targets.
Already, there have been instances where executives have been duped by calls from what they thought were their bosses or clients. They demonstrate the importance of having a chain of sign-offs on large transfers, especially at the most senior levels of an organisation.
In 2019, a CEO at a UK energy firm was called by someone who’d used artificial intelligence to successfully mimic the slight German accent and cadence of the CEO’s boss. Following what seemed like legitimate instructions, the CEO transferred €220,000 to a Hungarian supplier.
A year later, in 2020, the branch manager of a Japanese company in Hong Kong got a call from the director of the branch’s parent company. Referring to a long email correspondence the manager had been copied into about an acquisition, the director instructed the manager to go ahead with the US$35m in transfers required to complete the deal.
These two attacks have not yet been linked.
How do I mitigate against phishing and BEC attacks?
Conduct regular security awareness training to educate employees, especially executives, about the risks associated with whaling attacks and the techniques used by threat actors.
Enforce strong authentication mechanisms, such as multi-factor authentication (MFA), to prevent unauthorised access to email accounts or critical systems.
Use filtering to detect and block suspicious or spoofed emails. Implement email authentication protocols to verify the authenticity of incoming emails.
Encourage your people to be vigilant about incoming emails, especially those requesting sensitive information or funds transfers. Establish a verification process for high-risk requests, such as phone verification or face-to-face confirmation.
Develop and regularly test incident response plans to ensure a swift and coordinated response in case of a whaling attack. This includes clear communication channels, reporting procedures, and steps for mitigating the impact.
Screen your third parties thoroughly to ensure their own security measures meet your standards. Threat actors will often use third parties as a gateway to bigger targets.