Whaling: Phishing for the Big C

Whaling: Phishing for the Big C

Ever heard about whaling? What about phishing? If you’re answer to the first question is “yes” but you’re having second thoughts on your answer to the second question, chances are you haven’t experienced what it really means to be deceived by email scammers.

Well, seriously, if you honestly don’t know what phishing means, this is an attempt by cyber criminals to obtain sensitive information for malicious purposes by masquerading as a trusted entity in an electronic communication such as email. But the big buzz in the phishing industry today is whaling. And with that, this means a total nightmare for C-level business executives. But what is whaling, by the way?

Let’s catch it … Oh, wait!

Whaling isn’t literally what you think it is. Whaling is a type of phishing attack, classified under spear phishing scheme as it targets certain individuals, that is directed at senior executive particularly from large organisations. They are a target of these fraudulent acts because of their access to sensitive data, and may also have governance with balances on banking and security accounts.

With a successful attack, a scammer can earn executive-level passwords and other details that lets them scour an organisation’s hard drives, networks and even bank accounts. Other whaling campaigns can also go after confidential military and government information.

The FBI, which calls such schemes as Business Email Compromise (BEC), counted more than 7,000 US businesses have been exploited by whaling campaigns, resulting in some $740 million in losses. The attacks are seen as increasing dramatically, as survey data from security firm Mimecast reported that about 55 percent of the 442 IT professionals have observed large volumes of whaling attacks for the past three months. These includes organisations located in U.S., U.K., South Africa and Australia.

A Special Bait for a Special Catch

While a regular phishing email commonly addresses a personal aspect of the target’s life, like for example a time-sensitive vacation offer or a deceitful warning from a bank that claims to charge their account unless they provide their identification and password, etc., whaling takes a more serious executive-level style. By taking in a form of a critical business email personalised to an executive’s distinct position and responsibilities to the organisation, and relating to a business-wide concern, it hooks its target with a delicate business concern that requires immediate response from a senior management.

There are two types of whaling emails:

  • Whaling email that appears to be a request or instruction from a department head or CEO asking the victim for any sensitive data.
  • Whaling email in the form of a subpoena or other legal papers that requires immediate responses from the victim.

By responding to this fraudulent act, the executive will likely discharge embedded codes that gives these criminals access to their networks where they work on or store their highly-regarded data and through this, they can remotely control an executive’s computer or log their keystrokes and in a few days, can access personal data and company passwords. This could mean huge losses not only to your business but to one’s self as well.

A Whale of a Problem

Because of their direct-to-the-point nature, whaling attacks are difficult to detect. These scheme rely solely on social engineering to trick their victims into giving in to their demands and doesn’t leave any trace behind just like other phishing methods. IT Solutions Australia recommends that the only way to mitigate whaling problems is to educate their senior management staff as well as their finance teams but still this isn’t enough. Enforcing secondary layer of confirmation of any suspicious requests would also be a reasonable solution.

And if ever you encounter one, don’t hesitate to contact IT Support Australia for any assistance. With the right awareness training and security measures, this is just one way that we can get ahead of these cyber criminals and avoid getting “phished”.

About the Author

Comments are closed.