The executives of your company are the big fish in your sea and cyber-criminals think of them as whales. In fact, whaling is a new cyber-security threat targeting your C-suite level staff.
You may have heard of phishing attacks, but what about vishing, spear phising and whaling attacks?
Phishing – Where cyber-criminals use scam emails or spoofed websites to obtain user credentials or financial information. The bad guys send out millions of emails that look like it is from say your bank asking you to log in and update your details, or a supposed tax alert from the government needing immediate action. People click on the link and enter their information which goes straight to the cyber criminals.
Vishing – A vishing attack is another fraudulent attempt to steal protected data, but the cyber-criminals use the phone to make the initial contact. For example, they might pretend to be a vendor asking you to change the bank account where you pay there invoices into.
Spear phishing – In these cases, the attackers do their homework first and target a specific company. They scour directories and employee social media to gather information to gain credibility.
Whaling – Now, there are whaling attacks, too. The high-value target is a senior-level employee. The fraudster typically also impersonates one of the target’s C-suite counterparts.
What You Need to Know About Whaling
A whaling attack uses the same methods as phishing but focuses on top-level employees (aka whales). The goal is to get the “whales” to reveal sensitive information or transfer money to fraudsters’ accounts.
Whale attacks are intentional and targeted. Phishing can see attackers baiting hundreds of hooks to get nibbles. In whaling, the attacker research individuals and companies and the information gathered adds credibility to their social engineering attacks. They may then pretend to be the CEO and email a request that appears to come from the CEO to say the bookkeeper to make a payment to a certain account. As the target has higher value, it is worth the attackers time to research their target so that they appear knowledgeable and make a request to and from someone important.
The sender’s email address will look convincing (e.g. from firstname.lastname@example.org instead of email@example.com). The messages will have corporate logos and legitimate links to the company site. Because humans want to help, the communications typically involve an urgent matter.
Whaling attacks are on the rise and there has been a few high profile attacks:
Snapchat admitted compromising employee data after receiving an email, seemingly from its CEO, asking for payroll information.
Mattel nearly transferred $3 million to a Chinese account. Company policy required two signatures, but the attackers (taking advantage of a recent shakeup) faked the new CEO’s signature. The second executive went ahead and added a signature. The only thing that saved the company was that it was a Chinese bank holiday.
Protection Against Whale Attacks
As with phishing or vishing, the primary way to protect against whaling attacks is to be wary and question everything. Train all your staff members to guard what they share on social media and encourage them to question any unsolicited request. If they were not expecting an attachment or link, they should follow up via a different medium (ie. make a phone call to the sender). If a request is unusual, they should trust their spidey-sense, double check email addresses, web links, bank account details etc and only proceed if the information has been double or triple checked and confirmed!
It is also a good idea to develop a policy for handling requests for money or private and personal information. By requiring that two people must always weigh in, you are more likely to catch a scam before it is too late.
Also, train all your employees to look carefully at email addresses and sender names. They should also know to hover over links (without clicking on them) to reveal the full URL.
Security awareness is crucial. It is also a good idea to test your employees with mock phishing emails.
If you are in Adelaide, South Australia and need help training employees and performing test phishing attacks please contact our experts today on firstname.lastname@example.org or 08 8326 4364.