A Whaling attack or phishing evolved is specifically aimed at a single, high-profile business target including C-Suite executives. This group has access to sensitive employee, and/or customer data, banking, and/or securities accounts. Phishers target this group with e-mails and web-pages embedded with malicious code. When e-mail attachments are opened, or web-pages clicked the code is activated. The malicious code unleashes backdoors, remote access or embeds keyloggers; and within hours or days, the phisher gains access.
How does the ‘bait’ differ between Plain-Vanilla Phishing and Whaling?
Plain-Vanilla phishing attacks are a numbers game and are mass generated; they are casually addressed ‘Dear customer,’ or ‘Dear user’ e-mails, web-pages or pop-ups that appeal to a personal aspect of the target’s life. They may include ‘once in a lifetime vacation offers’ that is time-sensitive, or an urgent message which appears to be from your bank, PayPal or Netflix accounts that use threats of ‘account closure’ or ‘compromise.’
In the case of Whaling, there are a smaller number of attacks, but the phishers are looking for a bigger score. Whaling campaigns are highly customized to an executive’s specific position and responsibilities within the organization. Moreover, the phishers will specifically target those individuals who have wire transfer authority. Phishers craft e-mails and malicious web-pages that appear to come from a trusted source which will necessitate an immediate response.
The target opens the viral e-mail attachment or clicks into a malicious Web-page. Game Over. What is even more disturbing, once phishers are armed with access, often they will launch further attacks causing considerable damage including monetary and reputational.
Why is whaling pervasive?
A key reason whaling is so pervasive is that individuals overshare personal and behavioral data on social media applications. Phishers can tap this information otherwise known as OSINT. The well-crafted e-mails and web-pages are designed using the targets OSINT. The more personal information the target shares publicly, the greater the risk that this information will be used to manipulate them.
The risks are real.
The FBI has commented that whaling or what they refer to as BEC (Business Email Compromise) attacks are an ’emerging global threat.’ Companies from all 50 US states and 79 countries have lost approximately $1.2 Billion dollars in the previous two years (2013-2015).
- Lockdown privacy settings on social media accounts.
- Limit the use of third-party applications.
- Two-factor authentication and multiple signatures should be implemented for the vendor payment process.
- Employ a team either in-house or from the outside that can effectively assess the organization’s overall predisposition to phishing/whaling attacks by having a precise idea of what OSINT is available that could be used against the organization.
- Increase awareness through continuous and ongoing training programs with staged, real-world phishing, whaling, and other social engineering attacks.
- Look to C-Suite executives to make data breach preparedness a continuing priority for the entire company.
As information security professionals develop new defenses and warnings, the threat actors will continue to adapt, and we need to be prepared. There is no one-hundred percent fix for social engineering threats. The key is continuous training and reinforcement and should include all employees, not just management and the executive branch.
Cybersecurity is a shared responsibility. Stop. Think. Connect.