Most businesses are aware of the different forms of cyber attacks. When it comes to keeping your business protected from an attack, one of the first steps you can take is to educate your employees about online safety. Employee education is a great step in preventing phishing attacks. Yet, did you know that there is a similar attack out there and they are looking right at your senior management?
That’s right, this type of attack is called whaling. As the name suggests, these criminals are after the big fish in your business. The name whaling stems from the size of the target these criminals are after. This includes your CEO, your CFO, and other members of your senior management. The goal of this attack is to pose as a member of senior management or to trick someone in leadership into sharing data through emails and web spoofing.
Are Whaling Attacks Successful?
These attacks are meticulously created and highly personalized to their target. By creating fraudulent emails that appear to be from a trusted source, criminals try and trick their victims into giving up sensitive company information. These attacks are more difficult to detect than a traditional phishing attack due to the superior quality of the attack. The return on these attacks for cyber criminals is incredibly valuable so they spend more time fine-tuning the attack to make the email or website look as legitimate as possible. Typically, these attacks include personal information, job titles, and names of businesses partners all to lend to the “credibility” of the message to trick the recipient. When a whaling attack is successful, the damage done can be extensive.
In 2016, social media giant Snapchat became the victim of a whaling attack. A high-ranking employee responded to an email from a cyber-criminal pretending to be the CEO. The employee provided the cyber-criminal with sensitive payroll information. As a result, Snapchat reported the incident to the FBI, and in an effort to right their wrong, provided their employees who were affected with two years of identity-theft insurance.
Tips for Defending Against a Whaling Attack
- Educate your senior management. It is a well-known fact that one of the biggest risks to your network security is your employees. Management shouldn't be exempt from security education. Quite the contrary, they should lead security initiatives by example. End user education is important on all levels in the workplace.
- Beef up the security on your private profiles. A lot of times cyber-criminals use the information they can find on your social media profiles to add to the authenticity of their attacks. By locking down important information like friends, addresses, and important dates the criminals have a harder time trying to impersonate you.
- Flag external emails. In these attacks, the criminals are trying to impersonate a high-level employee from within your organization. A good step to take to spot a potential attack is to have your IT department flag emails that come from outside of your organization's network.
- Set up a strong verification process. Internally set up a process to verify the identity of the sender and recipient when sending sensitive documents. If possible, before clicking send try and check with the recipient in-person or give them a call to let them know what you are sending over.
- Have your IT Department create a mock whaling attack. Create a learning opportunity out of this type of attack and educate your employees on what to look for and how easy it is to get tricked.
Whaling attacks can be successful due to human error. Cyber criminals are always looking for new and innovative ways get their hands on important business data. One of the best things you do to protect your business is to educate your employees about possible risks and how to be a critical consumer. We’ve always explained how important it is to educate your employees, but this is a great reminder to also include senior management. Like phishing attacks, whaling attacks can be prevented too. All it takes is some great end user education, a stellar IT department backing you up, and being observant!
If you would like to know more about the overall security of your business, contact SumnerOne for a security assessment. We here to help and have professionals ready to take on the task of managing your network!
Originally published February 28, 2018, updated August 14, 2018