You’ve likely heard of phishing attacks. Phishers use scam emails or spoofed websites to obtain user credentials or financial information. This might be an email that looks like it is from your bank asking you to log in and update your details, or a supposed tax alert needing immediate action.
A "vishing" attack is another fraudulent attempt to steal protected data, but instead of email, the cybercriminals use make contact by phone. They might pretend to be a vendor needing to confirm account details for bill payment or a bank needing to confirm credit card or bank information.
There’s also Spear Phishing which is an advanced type of the above attacks. In these cases, the attackers do their homework first to find and target a specific company. They scour directories, the company website and even employee social media to gather information to gain credibility before they ever make contact.
Finally, we have the subject of today's article: the Whaling Attack. This type of attack is typically one or more of the above combined into a single attack on one or more "high-value" targets at a company. The high-value target is usually a C-level employee at larger companies or a senior employee or business owner for smaller companies. The fraudster will typically impersonate someone else within the company or who is close to the target (spouse, relation or close friend).
What You Need to Know About Whaling
A whaling attack uses the same methods as phishing but focuses on top-level targets. The goal is to get “whales” to reveal sensitive information or transfer money to accounts owned by the attacker.
Whale attacks are intentional. Phishing can see attackers baiting hundreds or thousands of hooks to get nibbles. In whaling, information gathered in advance adds credibility to the social engineering. The target has higher value, so it’s worth their time to appear knowledgeable and make a request to and from someone important.
How good are whaling attacks? For these types of attacks, the attacker focuses on the details. For example, the sender’s email address will look convincing (e.g. from smithj@companyx.co instead of smithj@companyx.com). The messages will have corporate logos and legitimate links to the company site. Because humans want to help, the communications will typically involve an urgent matter or request related to an upcoming project.
Whaling attacks are on the rise too. In 2016, Snapchat admitted compromising employee data after receiving an email, seemingly from its CEO, asking for payroll information. In another high-profile example, Mattel nearly transferred $3 million to a Chinese account. Company policy required two signatures, but the attackers (taking advantage of a recent shakeup at the company) faked the new CEO’s signature. The second executive went ahead and added a signature. The only thing that saved the company was that it was a Chinese bank holiday which prevented the funds from being deposited right away.
Whaling attacks aren't just targeted at large corporations either. While smaller companies may not have large employee structures, attackers aren't afraid to think outside the box to find an "in". A small accounting firm in South Carolina employing just 4 people was on the hook for thousands of dollars in a ransomware attack after the business owner mistakenly opened an malicious email attachment that appeared to be from his wife.
How to Protect Your Business Against Whaling Attacks
As with phishing or vishing, the primary way to protect against whaling attacks is to question everything. Train your key staff members to guard what they share on social media. Encourage them to question any unsolicited request. If they weren’t expecting an attachment or link, they should follow up. If a request is in any way unusual, they should trust their instincts and proceed with extreme caution. A few more ideas to help protect your business from all types of phishing attacks:
- Develop a standard policy for handling requests for money or sensitive information. By requiring that two people always weigh in and/or sign off, you're more likely to catch a scam before it’s too late. Even small 1-2 person mom-n-pops should have some sort of standardized policy for dealing with requests.
- Train employees to look carefully at email addresses and sender names and look for discrepancies. They should also know to hover over links (without clicking on them) to reveal the full URL.
- Test your employees with mock phishing emails to keep them sharp. Regular tests can help ensure proper rules and/or policies are being followed.
- Ensure that you are using a proper business-grade email setup with spam filtering. This won't negate the points above completely, but it will definitely help mitigate many of your "run of the mill" low-effort phishing attempts. Which, while typically less successful, can be just as harmful to your company.
Security awareness is a crucial part of business today. No matter if you're a 2 person mom-n-pop or a 2000 employee Fortune 500 company. All companies are vulnerable to grifters and scam artists and many of these types have become much more tech savvy over the years. As a result, it's important to keep up with the ever-newer and more complex methods attackers use to target their victims.