A whaling attack, also known as a whale phishing attack, is a common cyber-attack that targets high-profile employees, like CEO or CFO, as they’re likely to possess access to more confidential data, intellectual property, and other sensitive information. In many cases, the attacker’s goal is to influence the victim into authorizing high-value wire transfers to the attacker.
Many whale phishing emails are designed to support fraudulent wire transfers. Do you know what exactly is a whaling attack and how can you stay protected? Let us find out.
A whaling attack is a type of phishing attack that targets wealthy, prominent, and high-profile individuals. In this cyber-attack, a highly customized phishing email which includes the target’s name, job title, and other relevant information, is sent to the high-profile targets. This email includes a link that redirects the targets to a phishing page that harvests the corporate or personal information of the target.
Due to their highly targeted nature, whaling attacks are usually very difficult to detect than standard phishing attacks, because the sender’s email address and the links used in the email are designed to look very legitimate.
Phishing attacks can be subdivided into a four (4) different types.
Spear phishing: A targeted attack, where the attacker knows a lot about you and your business or personal life. For example, if you have a pet dog who has been diagnosed with cancer and is due to have surgery in two weeks, an attacker could send you an email saying they’re raising money for your dog’s surgery and ask for your credit card info to donate.
Whaling: An attack on high-level executives or other important people within a company or organization. For example, if someone is spear phishing a CEO at a tech company with the intent of getting access to their accounts and then stealing money from them by transferring funds into their own account while pretending to be the CEO—that would be whaling.
Vishing (Voice Phishing): This is when an attacker calls you on the phone and pretends to be someone else in order to get you to reveal personal information, such as credit card numbers or banking passwords. It’s important to remember that if someone calls you out of the blue asking for this kind of information, they aren’t legit. If you get a call like this, hang up immediately and contact your bank or credit card company to let them know what happened.
Email phishing: Email phishing attacks are a common way for hackers to gain access to private information. These attacks usually involve emails that seem to come from a legitimate source, such as your bank or credit card company. The emails will ask you to click on a link or attachment that will allow the hacker access to your computer, or they may try to trick you into giving up your login information by providing a fake website where they say you can change your password.
In 2016, Snapchat’s payroll department received a whaling email that purported to come from the CEO asking for employee payroll information. In response to the email, the payroll staff disclosed all of the company’s payroll data to a scammer.
In March 2016, an executive at Seagate responded to a whaling email that requested the W-2 forms for all current and former employees. This incident caused a breach of income tax data for almost 10,000 Seagate employees.
Toy giant, Mattel lost over $3 million after a senior finance executive fell victim to a whaling email attack. The email claimed to come from the new CEO and requested a wire transfer.
Neumetric, a cybersecurity services, consulting & product organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.
Cybersecurity experts at Neumetric recommend to never click on links or attachments in emails that come from anonymous sources. It is always best to verify the legitimacy of the source before responding to an email. Any email that asks for personal or financial information should be avoided.
High-level executives should take extra caution while posting and sharing personal information on social media. Additionally, educating employees on how to identify phishing emails is highly recommended. To keep at bay from whaling attacks, you can implement a good anti-phishing software and can also flag emails that are sent from outside of the corporate network.
So, if you are also in need of cybersecurity, contact us today and get a free assessment.