Since 2013, US companies have unwittingly transferred more than $12 billion to criminals behind whaling attacks. You might think you’d never fall for a suspicious-looking email. Still, whaling attacks meticulously mimic your CEO or CFO and get away with stealing your company’s most precious files and information.
Contents:
So how does a whaling attack work? And what can you do right now to avoid it? In this post, we will teach you just that.
What is a whaling attack?
A whaling attack, also known as CEO fraud, targets the big fish of a company. In this type of attack, a cybercriminal will masquerade as a senior member at a company to steal finances and sensitive information or access computer systems.
Whaling is similar to phishing — and can be referred to as whale phishing — in that it uses email and website spoofing to trick employees or customers into revealing sensitive information or transferring money. But unlike phishing, whaling attacks make the message appear as though it was from a CEO or someone equally senior. That way, cybercriminals rely on a person’s obedience to authority to execute their sticky-fingered plan.
Differences between phishing, whaling phishing and spear phishing
Phishing, spear phishing, and whaling, while all sound like types of fishing activities, are three distinct types of cyber attacks that rely on deceptive communication to extract information from an unsuspecting individual. The difference between the three types of attacks lies in their targeting precision and victim profile.
Phishing is the most generic attack type where unwelcome emails are sent to vast numbers of people. In most cases, such emails pretend to be from a well-known organization with hopes to mislead an unsuspecting individual into providing sensitive data such as login credentials and credit card numbers.
Spear Phishing differs from traditional phishing in that this type of attack is considered to be tailored for an individual or an organization. Unlike phishing, which casts a wide net, spear phishing focuses on any personal information about the victim, often gained from social media. This makes the emailsmore likely to be followed through by the recipient.
Whaling is a very specialized form of spear phishing, where the high-profile targets are more like executives or other important figures in an organization. The reason why the term "whaling" was adopted is because these attacks target important figures in an organization, the so-called ‘whales.’ These attacks are often highly tailored. Some of them might reuse internal communications or come from an address that is very similar to one within the company. These are often designed to extract large sums of money or collect sensitive and confidential data.
Whaling attack examples
Now that you know the basics, let’s put a whaling attack into context with some examples.
The urgent wire transfer
In a stress-inducing attempt at getting their hands on some free money, the attacker sends an ‘urgent’ email. It typically reads like a personal message from the boss, establishing trust before asking for an urgent wire transfer. The transfer has to be made to a designated account by a designated day.
You’re probably thinking, “Why would I do that without approaching my boss and confirming it first?” Well, imagine a 10,000+ global organization. With deputy managers, senior managers, and operations and finance managers in each department constantly dealing with payments of all kinds, a request to transfer money might be nothing out of the ordinary.
A request to send files
Imagine you start your workday with 45 unread emails. You rapidly sift through them, tending to anything urgent so you can get on with your day. Your boss needs you to send them a document which contains payment records and includes the company’s credit card details. You send it over without giving it a second thought, especially since your ‘manager’ needs your help. And just like that, with minimal effort on the criminal’s part, you’ve been conned in a whaling attack.
Whaling attacks: A billion-dollar disaster for CEOs
High-flying CEOs of mega-companies are easy to impersonate – their voice, tone, and location are often sprawled online for the world to see and for criminals to copy and exploit. Whaling phishing attacks casually kick down firewalls and side-step even the most complex IT defenses with such ease that they can make a person feel entirely incompetent, which is why they often go unreported. Between 60-70% of CFOs in the US have fallen for a whaling attack that caused losses in their billions. But because admitting to “falling for it” might be too embarrassing, any chance at remediation is smothered.
Thousands of companies have grown accustomed to writing off billions each year in ‘avoidable losses’. But avoiding a whaling attack is just as simple as the attack itself.
How to avoid a whaling attack?
Whaling cyber attacks use social engineering to trick victims into handing over funds. But don’t be intimidated by a term that simply means ‘to prey on human nature’. From this new angle, the cures for whaling attacks become low-cost and highly effective:
Team awareness
To properly fight off whaling attacks, basic employee security awareness training sessions should evolve beyond the basics. You might want to implement advanced simulations reflecting real-world scenarios, which improve employees’ ability to recognize and respond to whaling attacks. Advanced training sessions should emphasize the psychological tactics used for whaling attacks such as impersonation and manipulation. Furthermore, you should consider carrying out cross-department workshops, because they can help ensure that all levels of staff, from entry-level to executives, are on the same page when it comes to overall vigilance. By promoting continuous learning and encouraging employees to stay updated on the latest whaling techniques, you can build a team capable of fending off whaling attacks.
2. Implement dual authorization on wire transfers
We talked about getting a second opinion when anyone demands a payment. Having two people sign off any outbound wire transfers always helps to prevent a looming whaling attack.
3. Senior staff should have private social media accounts
Whaling attacks target the big fish of a company. If a senior member posts about a barbeque he had at the weekend, the attacker could use this information to persuade the victim he’s the real deal.
4. Cybersecurity guidelines and policies
Cybersecurity guidelines and policies. Establishing a secure organizational perimeter requires a multifaceted approach. When it comes to whaling attacks, implementing a comprehensive strategy covering all communication aspects is critical. The approach should include real-time analysis of email content to automate the detection of potential social engineering phishing attempts. On top of that, you should also consider employing advanced security tools such as firewalls, encryption, and intrusion detection systems.
5. Encrypt your sensitive information
Besides promoting all the obvious things like good email hygiene and cross-checking suspicious demands and claims, a second precaution never hurts anybody. Protect and secure your company's sensitive information with NordPass. NordPass uses XChaCha20 encryption XChaCha20 encryption to store your company’s credit card details and system passwords, locking them inside a cloud-based vault, secured with biometric locks. Should a staff member fall for a message in a whaling attack, your company’s most compromising information will stay secured with a master password only authorized members can access.
Smaller companies can suffer huge losses from whaling attacks since they don’t have the luxury of writing off losses like large corporations. Starting with a good business password manager will keep your sensitive files safe from casual access and help deter any irreversible damage caused by whaling attacks.