Whale phishing attack – targeting senior staff

Over the last few months we have seen a substantial rise in the volume of phishing emails being sent to university staff apparently from a colleague.  These emails are sent from a fake external email address e.g. colleagues.name@gmail.com or something similar.  Often the emails are made to look as if they’ve come from senior colleagues – this type of phishing is known as whaling or whale phishing as the criminals behind them are targeting the ‘bigger fish’ in the organisation.  A similar approach is called spear phishing where any staff member can be targeted.  Both of these types of emails can be detected easily if you know what you are looking for.

The intention of these emails is to get a response from you and trick you into interacting with the phisher.  They usually start with a subject line ‘Are you on campus / Are you available’ or similar.  If you answer, they will get into a dialogue with you to try and trick you into paying an invoice, buying gift cards for them (e.g. itunes gift cards), or some other financial action.

How to identify and deal with a targeted phishing email

  1. On opening an email, always check the ‘from’ field.  External emails nearly always have the full email address quoted in the ‘from’ field e.g. Trish <trishdavey@somemadeupemailaddress.com>. This may not be the case on a mobile device – be extra careful.  Don’t assume your colleague is emailing from their personal mail account – anybody can create a gmail or other web mail account in anyone’s name.
  2. Consider the tone of the subject line and any words in the body of the email – is the tone / style appropriate to your colleague? 
  3. IF IN DOUBT – contact the colleague concerned via a known route – phone them, email them on their university account.
  4. If in doubt DO NOT REPLY.

This is a screen shot of a recent example that was circulating in the University, shown with the permission of Professor Jump:

As innocuous as this may seem, please do not enter into a dialogue if you have any suspicion at all.  Contact your colleague directly via a legitimate route. 

If you receive an email of this type, please report it to the Information Centre.  We are now filtering any emails with the subject line ‘Are you on campus?’ into a security mailbox, but it is only a matter of time until a new subject line appears.

We will be working on releasing regular security updates over the coming months to keep staff aware of the most recent threats.

If in doubt, please contact the Information Centre so that we can help you.

Information Centre
Information.centre@stir.ac.uk
Or log into UniDesk via the portal and click ‘Contact Us > Ask IT’