Many historic New England towns once featured a profitable commercial whaling industry. Fortunately, that has been banned in most parts of the world, replaced by whale watching trips popular with tourists and locals alike.
The humpbacks might be off the hook, but there is a new kind of “whaling” on the scene. It’s a subset of phishing aimed at a high-level targets such as small business owners and executives. And it’s only building in popularity – whaling attacks increased an estimated by 200% in 2017.
Go Big or Go Home
If an attacker can fool a so-called “whale,” they could get to the top tier of information: financial data, employee information, intellectual property, business plans, and more. Business owners and executives are tempting prey:
- They often have the most access to financial accounts and sensitive business data.
- They have the authority to make things happen quickly inside the business, typically a key appeal for cybercriminals.
- They usually have high level business system and network access.
A successful attack can have a huge payoff. In 2016, the CEO of an Austrian aircraft manufacturer lost the company €50 million falling victim to a whaling attack. The company struggled to recover, and the CEO, the CFO, and several other employees were subsequently terminated. Had the same attack been targeted at a lower-level employee, they wouldn’t have had the authority to make such a large transaction.
Attackers Go Into the Deep
Phishing attacks are often carefully crafted to look very real, but whaling attacks start with deep research and are micro-targeted:
- Emails contain highly personalized details, referring to real employees, customers, and projects.
- Requests often play into authority, intimidation, or panic.
- Whalers use real business terms and a professional tone to mimic emails from trusted parties.
- Attacks are sometimes coupled with a fake phone call or other social engineering tactic.
Part of the issue is, it’s getting easier for attackers to find information to craft an attack. Business owners and executives are high profile, they have to be. Personal and professional social media and the company website and blog are full of content for a convincing whaling attack.
Whalers also know that high-level managers are busy and under pressure. Executives frequently field legitimate requests for sensitive information and large payments, so an attack might not be immediately obvious.
Dodging the Harpoon
Educate yourself and any senior management on the warning signs of a phishing attack, and common examples of a whaling attack. Be sure to review emails methodically – we’re all busy, but taking that little bit of extra time could mean the difference. To start, always ask yourself: “Am I expecting this email?” If the answer is “no,” it requires more research, even if the sender appears to be someone in your own organization. If there is any doubt, don’t hesitate to call the sender at their publicly posted number. They can confirm legitimacy and will be happy to see that you take cybersecurity so seriously.
Your Friends @ Defendify