As the name suggests, whaling attack does refer to targeting a big whale. To put it in simpler terms, it is a dedicated type of spear-phishing attack in which the perpetrator poses as an executive or owner to lure users into revealing sensitive information.
Shockingly, the FBI has reported that companies lost almost $215 million to phishing attacks in the year 2014itself. Moreover, Verizon DBIR reported at least 61 phishing attacks targeting finance departments in the year 2016. It further reported a significant jump to 170 within one year in 2017.
Thus, in this article we explore what are whaling attacks and what prevention measures one can take for information security.
What is a Whaling Attack?
Whaling attacks are quintessentially spear phishing attacks gone bigger. Unlike the latter, whaling attack involves hackers particularly impersonating themselves as senior management executives such as CEO, COO, CFO, Senior VPs, etc.
Least surprisingly, active social media profiles are often the ones paving way for the whale. Cyber criminals usually take their time to research both the individual and the organisation to gather background information.
Relying on the usual employees’ psychology, whaling attempts hope to succeed by leveraging the authority to lure users into sharing sensitive information like employee details, financial data, etc. which they otherwise won’t.
In a whaling attack, key is to sound as much as possiblelike the original executive. Thus, prepatrators often use their social media handles and company’s open information to gather background information and look out for patterns. For instance, if an attacker sends an email as the CEO, he would attempt to send it at a more opportune time and will compose it in his tone.
Human Resource department and finance department are usually their most popular targets as they have access to much more sensitive details like current financial holding, payroll data, personal details etc.
Prevention measures to avoid Whaling Attacks
- Pro-actively inform and educate employees about various cyber crimes and phishing attacks.
- Flag all emails received from outside the organisation to alert targets
- Always check the entire email ID. Re-verify with the individual concerned in case of a suspicious profile.
- Have a multiple-step verification process before giving out any sensitive details.
- Strategies social media not only towards promotion but also digital security. Encourage privacy restrictions when required particularly among the senior management.
***Important terms related to the arena of Whaling attacks that you should know–
Social Engineering attack –Social engineering attacks refer to the range of malicious activities achieved essentially through human interactions. These usually involve the perpetrator researching beforehand to gather background information and find loopholes before attempting the attack.
Phishing attack – Phishing is a category of cybercrimes in which the perpetrator poses as a legitimate institution or related individual to deceive and prompt targets into revealing sensitive information.
Spear Phishing attack – Spear phishing attacks are spam attacks which employ various electronic communication channels like email to target specific individuals or entities.