Whaling is not only the favourite sport of the Japanese, but a type of cyberattack that uses the spear-phishing methods to go after a high-profile target. Also known as the CEO-fraud, whaling is almost the same as spear-phishing but the difference is that it uses methods such as email and website spoofing to trick the victim into performing specific actions, such as revealing sensitive data or wire transfer. Due to the evolving technologies everything becomes possible because of online communication and as Homer Simpson once said “The problem with the world today is communication…too much communication.” So on one hand phishing scams target random individuals and spear-phishing targets specific individuals or organizations and on the other hand whaling goes to the next level by targeting the chosen victim in such a way that the fraudulent communications they send appear to have come from someone that is high ranked at their organization, such as the CEO or finance manager, or the so called “big fishes”. This type of scam requires a lot of preparation and research so to be executed successfully.
As mentioned above, whaling attacks need more detailed research and careful planning than standard phishing and spear-phishing attacks.
First of all perpetrators look at social media and public company information to establish a profile and plan of attack. For this purpose they usually use malware to infiltrate the targeted network so that they can gather detailed information about the victim. To impersonate a high-value target, the cybercriminals need to take time to figure out the best way to sound like their target, find a way to approach their target, and figure out what kind of information they can get from the victims before the actual attack takes place. So when time comes the perpetrators send emails with much detail for example of a future payment in which they redirect a payment to a different bank account using the exact same writing style and invoices as the original email. So in these cases, the sender’s email address typically looks like it’s from a believable source/ CEO, business partner,senior manager etc./and may even contain corporate logos,original invoices or links to a fraudulent website that has also been designed to look legitimate. Usually A whaling attack will often use a domain name that looks very much like a trusted domain name, but with subtle and almost imperceptible changes. Because a whale’s level of trust and access within their organization tends to be high, it’s worth the time and effort for the cybercriminal to put extra effort into making the experience as casual as it can be. Due to the rising levels of cybercrime in the recent years businesses must be aware of these kind of cyber attacks.
First of all defending against whaling attacks starts with educating key figures within your organization to ensure they are routinely on guard about the possibility of being targeted. Also encouraging key staff members to maintain a healthy level of suspicion when it comes to unsolicited contact is a must, especially when it comes to important information or financial transactions. Employees should also be trained to look out for the telltale signs of an attack, such as spoofed (fake) email addresses and names. Simply hovering a cursor over a name in an email reveals its full address. By looking carefully, it’s possible to spot if it perfectly matches the company name and format. Our email protector will do the job even if you are having a bad day and you don’t have the spare time to hover stuff on the monitor around. Senior staff members and executives should keep in mind that cybercriminals can you every bit of information they are posting and sharing online on social media sites like Facebook, Twitter and LinkedIn. Details such as birthdays, hobbies, holidays, job titles, promotions and relationships can all be used by cybercriminals to craft more sophisticated attacks. You can reduce the danger posed by spoof emails by requiring your IT department to automatically flag emails for review that come in from outside your network. Or just create a spam filter, so that messages from domains, which are not verified by Google get swept right away. But never mind that investor that just got into web design and IT stuff… Or just you can use our Email Protector - the browser extension that will keep all kinds of phishing, spear-phishing and whaling attacks away from you. One more thing to consider is adding another level of validation when it comes to sharing sensitive information or wiring a large amount of funds. For example, a quick phone call may be the best practice when handling critical or sensitive tasks, rather than simply carrying out the transaction electronically.