The Risks of Whaling: How Top Executives Can Avoid Being “Phish” Food
When you hear the word “whaling,” Herman Melville’s Moby Dick, the most popular work of fiction about the sea’s largest animal, might spring to mind. But this blog doesn’t begin with “Call me Ishmael,” and this story isn’t about a gigantic white whale; instead, it’s a tale of caution for busy executives.
What is a Whaling Phishing Attack?
In this instance, whaling (also known as a whaling phishing attack) is much scarier than the dark, deep waters of the ocean; it could break your brand and, ultimately, your business. A whaling attack is a type of social engineering attack that specifically targets executive-level employees with the purpose of stealing their information or money via wire transfer. The attacker may also try to access the target’s device in the future.
The term whaling references the large size of these phishing attacks, and the “whales” (or, executives) are typically chosen based on their perceived level of authority (and sometimes, their wealth).
How Does a Whaling Phishing Attack Work?
Like other social engineering attacks, hackers attempt to persuade executives to take an action, such as clicking on a bad link. However, unlike other phishing attacks, they typically involve additional research. They may explore sources of publicly-available information such as social media and company profiles, as well as any other information they’ve managed to scrape from lower-level employees, such as executive calendars and travel schedules. Then, attackers may use a wide variety of techniques, including email spoofing, social engineering, and content spoofing, to create emails and other communications that seem credible.
Why is Whaling Successful?
One of the most famous examples of a successful whaling attack? In 2016, a high-ranking employee at Snapchat believed a whaling email and exposed employees’ payroll data. The company reported the incident to the FBI and gave its employees two years of free identity theft insurance.
But while most companies today have mandatory security training programs, they often miss executives, and they don’t always focus on whaling. So what can your organization do to ensure your executives (and your larger company) are safe?
How Can You Avoid Whaling Attacks?
That’s a trick question! You can’t completely avoid any type of phishing attack, but you can reduce the likelihood these attacks will be successful.
Here are some steps you can take to improve your risk level:
- Focus on training for senior management: Ensure all of your executive management team, key staff, and finance teams are continuously educated about what whaling attacks are and how to spot them. Train employees to scan emails carefully, and take time to conduct mock whaling (and other social engineering attacks) on a regular basis. You may even want to hold executive-specific training since employees have different needs than other employees. Executives should look for the following red flags:
- The nature of the request. If the request is for a wire transfer or the transfer of sensitive data, it’s probably illegitimate.
- The urgency of the request. If there is a time limit with suggested negative consequences, consider the request suspicious.
- Spelling and typo mistakes. If a domain URL is one or two letters off, (“Libraesve” instead of “Libraesva,” for example), it’s probably a phishing email.
- Put in “two-factor” approvals: Put company-wide rules in place to ensure no employee (even the CEO) can send funds or extremely sensitive information via email without verifying their request with legal, finance, or a similar department via a different channel (phone, Slack, etc.). Once you have documented this process, train all employees on how these requests should be handled.
- Invest in email security software: Libraesva PhishBrain is the easiest and most efficient phishing simulator for analyzing phishing vulnerability, and Libraesva EmailSecurity provides active defense against phishing, 0-day malware, impersonation, spoofing and email threats to keep all of your employees safe.
- Keep off site information in mind: Often, attackers pair seemingly friendly actions with publicly available information to reveal sensitive data. Perhaps an executive has a public Facebook profile with information like their birthday, travel schedule, that can be used against them. It’s important to train employees on how to keep this type of non-corporate information safe.