We’ve covered phishing before on the blog, but have you heard about whaling?
Put away your lifejackets: we’re talking about a specific type of targeted digital attack; no seafaring vessels in sight. (If you’ve ended up here expecting a blog post about whale-spotting or whale-hunting, you’re going to be disappointed!)
This week, we’re covering whaling attacks. This type of digital attack can feel even more personal than some others—and it can be just as dangerous.
Here’s what you need to know about this unique attack vector.
A whaling attack is one where someone (typically outside the company) imitates a high-ranking company official, usually in an attempt to steal money from the company by tricking an employee into paying a fake bill. Whaling attacks can also be engineered to steal data or credentials.
We recognize that this definition is a little murky, so here’s an example.
Set aside your actual role at your company for a minute. Instead, imagine you’re a brand-new employee at your company. You’re nervous about succeeding and you’re eager to please. You’re getting started, maybe a few weeks in, when you get an email from the CEO or another top business leader. That’s got to be a good thing, right?
You open the email, and all of the sudden it doesn’t seem so good. Instead, it seems urgent. There’s some sort of problem, and the CEO is asking you to step in right this second to fix it. All you have to do is pay an urgent bill or fix some crucial account details (ones that inevitably have a connection to a payment source).
Hopefully you can see where we’re going with this: the email isn’t really from the CEO, and the supplier you’re being asked to pay is a fake. If you take the bait, you’re sending money straight to a scammer. You just got caught in a whaling attack.
Of course, if you’re reading this, you’re much more likely to be the high-ranking official than a brand-new employee. You probably won’t be the target of a whaling attack — but you may be the bait. It could be your name that gets “borrowed” for the “from” field on the attack.
Whalers are looking for people that are a little too quick to dispense a little too much money. The term whaling itself comes over from the gaming and gambling worlds, where it’s a mildly pejorative term for a big spender.
So, who are the potential whales at your company? Anyone with access to money or payment methods could be one. If they have good enough information about your company, whalers often target mid-level and high-level individuals who are most likely to have autonomous authority to spend (er, give away to the bad guys) large sums of money.
The top strategy for combating whaling is the same as for combating phishing: train your people. Specifically, train them to always stop and think anytime they’re asked to provide credentials, payment, or other sensitive information.
Scammers design these tricks to create false urgency. Often, simply slowing down and thinking is enough to show your potential whales that there’s a problem.
Also, most CEOs don’t make these sorts of requests via email in the first place. Proactively explaining this to employees can help to raise suspicions if this kind of message shows up.
Next, train them to confirm directly, via a different means of contact. If the “CEO” emailed a request that seems off, employees should be trained to confirm the request via a phone call or Teams message to the CEO’s admin assistant. (Hackers will rarely be able to control multiple methods of contact.)
Last, your business should implement a business-grade email filter. These do more than just block spam. They analyze email for suspicious patterns, including deceptive sender information, and can block many phishing and whaling schemes from ever reaching inboxes.
For more on protecting your business from these schemes or for help implementing the right email filter, reach out today. Our team is ready to help!