Most businesses are aware of the different forms of cyber attacks. When it comes to keeping your business protected from an attack, one of the first steps you can take is to educate your employees about online safety. Employee education is a great step in preventing phishing emails. Yet, did you know that there is a similar attack out there and they are looking right at your senior management?
That’s right, this type of attack is called whaling, and it comes from the phishing scam family. As the name suggests, these criminals are after the big fish in your business. The name whaling stems from the size of the target these criminals are after. This includes high profile targets like your CEO, CFO, and other members of senior management. The goal of this attack is to pose as a member of senior management or to trick someone in leadership into sharing data through spoof emails
Why Are Whaling Attacks Successful?
These attacks are meticulously created and highly personalized to their target. By creating fraudulent emails that appear to be from a trusted source, criminals try and trick their victims into giving up sensitive information about your company. These attacks are more difficult to detect than a traditional phishing email due to the superior quality of the attack. The return on these attacks for cyber criminals is incredibly valuable so they spend more time fine-tuning the attack to make the email or website look as legitimate as possible. Typically, these attacks include personal information, job titles, and names of businesses partners all to lend to the “credibility” of the message to trick the recipient. When a whaling attack is successful, the damage done can be extensive.
In 2016, social media giant Snapchat became the victim of a whaling attack. A high-ranking employee responded to an email from a cyber-criminal pretending to be the CEO. The employee provided the cyber-criminal with sensitive payroll information. As a result, Snapchat reported the incident to the FBI, and in an effort to right their wrong, provided their employees who were affected with two years of identity-theft insurance.
Tips for Defending Against a Whaling Attack
- Educate your senior management. It is a well-known fact that one of the biggest risks to your network security is your employees. Management shouldn't be exempt from security education. Quite the contrary, they should lead security initiatives by example. End user education is important on all levels in the workplace.
- Beef up the security on your private profiles. A lot of times cyber criminals use the information they can find on your social media profiles to add to the authenticity of their attacks. By locking down sensitive information like friends, addresses, and important dates the criminals have a harder time trying to impersonate you.
- Flag external emails. In these attacks, the criminals are trying to impersonate a high-level employee from within your organization. A good step to take to spot a potential attack is to have your IT department flag emails that come from outside of your organization's network.
- Set up a strong verification process. Internally set up a process to verify the identity of the sender and recipient when sending sensitive documents. If possible, before clicking send try and check with the recipient in-person or give them a call to let them know what you are sending over.
- Have your IT Department create a mock whaling email. Create a learning opportunity out of this type of attack and educate your employees on what to look for and how easy it is to get tricked.
Whaling emails are successful due to human error. Cyber criminals are always looking for new and innovative ways get their hands on important business data. One of the best things you do to protect your business is to educate your employees about possible risks and how to be a critical consumer. We’ve always explained how important it is to educate your employees about security awareness, but this is a great reminder to also include senior management. Like phishing attacks, whaling attacks can be prevented too. All it takes is some great end user education, a stellar IT department backing you up, and being observant!
If you would like to know more about the overall security of your business, contact SumnerOne for a security assessment. We here to help and have professionals ready to take on the task of managing your network!
Originally published February 28, 2018, updated October 26, 2018