Whaling attacks have seen a staggering 131% increase between 2020 and 2021, making it a pressing concern for businesses worldwide. These highly sophisticated phishing attacks are challenging to detect due to the absence of malicious URLs or weaponized attachments in most cases. The victims of whaling attacks often suffer significant financial losses and reputational damage.
Understanding Whaling Attacks
Whaling, also known as CEO fraud, employs methods such as email and website spoofing to deceive high-level targets like CEOs into performing specific actions, such as revealing sensitive data or transferring money. These attacks often appear to originate from someone senior or influential within the organization being targeted.
Whaling attacks are usually highly sophisticated, with malicious actors often exploiting established trust structures to fool their targets. Whaling emails are often personalized, including details such as the target’s name, job title, or other relevant information that the criminals have collected from various sources.
Types of Whaling Attacks
- Email + Follow-up Phone Call: Cybercriminals often follow up a whaling email with a phone call confirming the email request. This social engineering tactic both corroborates the email request and makes the victim complacent as they have also had a ‘real world’ interaction.
- Impersonating a Trusted Partner: The most recent and sophisticated whaling attacks have access to information about suppliers or partners of the target organization, especially if they advertise their partners such as charities, law firms, think tanks, or academic institutions.
- Impersonating Colleagues: Criminals will either compromise or spoof a colleague’s email address to trick other employees into believing the attack is a legitimate request. Often, this comes from a “senior” and is targeting a junior within the organization.
- Whaling via Social Media: Social media provides cybercriminals with a means to research and contact senior executives. Victims are also usually less vigilant in social situations. Scammers may try to befriend the target or pretend to be a potential business partner, love interest, peer, or an authority figure.
- Baiting: Criminals may leave an infected USB drive at the target’s office, or gym locker, or even mail it to their home with the hopes that they will try to use it.
Spotting a Whaling Attack
Whaling attacks often convey a sense of urgency that makes the target act quickly. They use spoofed email addresses and names, and the sender’s email address may not match the domain of the company the email claims to be from. Often, the scammer will substitute lookalike letters, for example, an “m” with an “rn”. They also commonly request for money transfers or personal information.
Notable Whaling Attacks
Whaling attacks have caused significant losses to businesses over the years. For instance, a Hong Kong subsidiary of Ubiquiti Networks Inc. lost $47 million due to a whaling email attack targeted at a finance employee in 2015. In 2016, a criminal posing as the CEO of Snapchat tricked a high-ranking employee into giving the attacker employee payroll information.
Protecting Your Business from Whaling Attacks
To protect your business from whaling attacks, it is crucial to educate employees about whaling tactics and maintain a healthy level of suspicion when it comes to important information or financial transactions. Your IT department can carry out mock whaling exercises to test your staff and keep them vigilant.
Use anti-phishing software that provides services such as URL screening and link validation. Change the procedures at your organization so that two people have to sign off on payments. Use DNS authentication services that use DMARC, DKIM, and SPF protocols to identify whether an email sent from a specific domain can be trusted.
Incogni: Your Personal Information Removal Service
Incogni offers a direct solution to the problem of whaling attacks by keeping your data off the market. With a 1-year subscription at a 50% discount ($5.79/mo), Incogni lists data brokers likely to have customers’ information (such as Social Security number, physical address, phone number, or email address).
Such data can be used for marketing, recruitment, financial, and health purposes or even further scams and whaling attempts. This can result in unwanted ads, influence loan eligibility or insurance rates, and increase the risk of attacks.
After a list of potential data brokers is made, removal requests to delete personal data are sent out. Even after deleting user information, brokers are still being sent the data removal requests regularly because they tend to collect the person’s information again after some time. Users can monitor the process (potential databases found, requests sent, requests completed) on their Incogni dashboard.