Cyberscams have become old hat, and even your Aunt Norma has acclimated to the ploys of online criminals and their attempts to steal passwords, personal information, and ultimately the money of the unwitting. Phishing attempts (to gather personal information via email for fraudulant use) have become easily identifiable by a lure that is not quite as real as it should be, so now the Whalers are moving into the water with a more convincingly crafted enticement. Whaling, also known as Spear-Phishing, is an effort toward catching a 'bigger fish', which could be an executive, payroll employee, or someone similar in an organization who has a specific role dealing with the private sensitive data of a large amount of employees.
This effort, in lieu of the generic 'Dear sir/madam' greeting, can include the target employee's specific name, job title, or other information that might lead them to believe that the sender has a relationship appropriate to their request, and may even further appear to originate from a high ranking corporate executive of that organization. All of this information is generally readily accessible via an organization’s website and can be tailored to craft a very convincing request. Another method employed in whaling attempts includes a malware infected document sent to a specific employee designed to exfiltrate personal data typically handled by that person's role. Whalers go so far as to 'spoof' their sender address to look like it has originated from an @indstate.edu domain.
In 2016, more than 50 organizations have been successfully targeted by W-2 spear phishing attacks since January, including Kentucky State University, where an employee inadvertently released 1071 employee tax records to criminals. Additionally, the IRS has reported a 400% increase in these types of incidents specific to tax information this year. Indiana State University employees have been excellent in identifying some seemingly authentic requests thus far, but one of the best tools for preventing a Whaling incident is user awareness.
If you are asked to reveal personal or financial information of Indiana State University students, faculty, of staff via email by an Indiana State University employee or any other individual, you should not respond. Call them, confirm the legitimacy of their request, and discuss a secure method of transmitting this type of data. Also, never hesitate to contact your OIT area consultant, or forward the email message to firstname.lastname@example.org, where OIT personnel can review the authenticity of the email and act accordingly.
Do not just click on links in emails, but instead copy them into your web browser to verify their validity. This includes Indiana State University OIT links in emails too!
No Indiana State University employee will ever ask for a username and password in email or over the phone.
If you think your username and password have been compromised, call the ISU OIT Help Desk at 812-237-2910.
1) No legitimate organization, including ISU, will EVER ask you for your email password or other personal information via email.
2) If an email sounds too good to be true, it is probably a scam.
3) An indicator of a spam email is that it is filled with broken English and/or lots of
WHAT TO DO IF YOU RECIEVE ONE OF THESE EMAILS:
People receive these types of emails on a regular basis and most of the time recognize them for what they are. Often the best course of action is to simply delete them. Occasionally, however, particularly clever messages come through that even the most discerning user might take some thought or examination to spot. When you receive this variety of fraudulent email, please forward that email to email@example.com. You may have been sharp enough to catch it, but others might not be so fortunate, and this may be a new scam that ISU’s information security team needs to act on.