What is Whaling? What is whaling Phishing? Cybercriminals target to particular kind of person; Let’s explore more read the complete article.
Over the weekend, my husband Ricardo and I watched the movie “In the Heart of the Sea,” the historical adventure drama about the whaling ship Essex prayed upon by a giant whale. The story kept us breathless. I never read the book Moby Dick which made the movie experience more exciting. If you haven’t watched the movie, this blog post isn’t going to ruin it for you!
The movie inspired me to read more about whales, and maybe I will read Moby-Dick one day. Have you read it? Please leave me a comment if you have!
“Ship ahoy! Have ye seen the White Whale?”
I kept thinking about whales, and the term Whaling came to mind. Whaling is a common type of threat in the world of cybersecurity known as Whaling phishing or spear phishing. In this type of attack, Cybercriminals, aka Cybermonsters, prey on a very particular kind of person, so it is highly targeted and sometimes very persistent. Let’s explore more.
What is Whaling? What is whaling phishing?
A whaling attack is a sophisticated and highly targeted phishing email or message aimed at senior executives and leaders masquerading as legitimate communication. Whaling is designed for fraud, to steal money by wire transfer, pursue identity theft, compromise valuable information, or gain access to high-value targets for further cyber-attacks.
Whaling deceives victims to take an action they believe is requested by someone with authority, someone they may admire and respect. These types of social engineering attacks play with the emotions of the victims. Imagine the president or a high-ranking person in your organization, school, government, or team sending an email to you in a convincing way. Who doesn’t want to be perceived as resourceful and efficient? Be the hero that saves the day for that executive? Because of the emotional payoff, this attack is often more challenging to detect and prevent than standard phishing attacks.
Whaling doesn’t require technical skills or significant hacking abilities. It’s quite simple to craft a CEO (chief executive officer) or CFO (chief financial officer) fraud email and even create an email spoofing a high-ranking employee. It can deliver huge returns to Cybermonsters. As a result, it’s one of the most significant risks facing businesses of all sizes.
Why is the attack named Whaling?
Whales are the largest animals on Earth and live in the ocean, ranging from 600-pound to ~200 tons. The blue whale is the largest known animal in the world. They can grow to be 98 feet (30 meters) in length.
Whales are about size, and weight, so using Whaling as the name for the specific type of cyber attack makes sense because of the magnitude and consequences the attack can have if someone believes and takes action to respond to an executive’s request. Also, Whaling relates to the power and impact executives may be associated with. Cybercriminals use the hunting a whale technique to reel in a big catch, targeting decision makers.
How do Whaling Attacks Happen?
Whaling attacks, also known as spear phishing attacks, are a business email compromise or BEC to a high-profile target. It may begin with an email or text between the impersonated company executive and the victim target. In the beginning, it may be seen as an innocent message, so the victim or whale may have no reason to question the validity of the communication. In addition, the email addresses may be faked and appear natural enough using the company logo, so it’s believable. However, they may include malicious website information or malicious links.
The first step is to infiltrate the victim’s email and build trust so they may not request anything suspicious in their first fake email. Next, social media profile details, videos, pictures, posts, and comments are used to make the impersonation real. Cybermonsters do in-depth research about the victim and the high-level executives they target.
For example, they may find pictures or social media posts about pets and sports events and craft a friendly message. Once trust has been gained, the messages could change to something like “Hey, I’m on the road, and I forgot my user information. Could you shoot it to me real quick.” or they could say, “Listen, I’m on this critical meeting, and my laptop battery is gone, but I’m using my phone. Do you mind sending me over the XYZ report real quick?” Because the trust has been built, the victim may believe the messages are legitimate and don’t have any malicious purposes. Therefore, the victim may send over the information requested.
The Milwaukee Bucks compromised the basketball team’s financial and tax data after a staff member responded to a spoofed email impersonating the president Peter Feigin and sending over payroll information and personal data about their employees.
Similarly, a Snapchat staff member received an email from the CEO, Even Spiegel, and sent over current and former employees’ data, including social security numbers.
In 2016 Seagate had a similar case to Snapchat, which led to a malpractice lawsuit. Also, in 2016, the CEO of Austrian aerospace company FACC was part of a whaling email attack costing the company $58 million.
Mattel Inc was a victim of a whaling case after providing approval for a $3 million offshore payment. Similarly, Ubiquiti Networks Inc disclosed inappropriately transferring $46.7 million to several vendors as a result of the impersonation of an executive.
Owners of small businesses are targets of whaling attacks as well. They may interject email conversations and seize the opportunities to divert bank transfers or payments. As a result, many small companies and nonprofit organizations are victims.
Consequences of a Whaling Attack
As the examples illustrate, the consequences of the whaling attacks can be devastating. When they succeed, they can result in:
- Data Loss: whether critical employees’ or customers’ data, personal details, sensitive data, intellectual property, or trade secrets can have significant consequences.
- Financial Loss: sensitivity data loss can lead to terrible financial losses from a successful whaling attack. Additionally, the company must invest in the necessary actions to prevent future data breaches.
- Reputation Damage: the implications to your brand and company trustworthiness can be devastating due to a successful whaling phishing attack.
How to Recognize a Whaling Attack
“You must be the change you wish to see in the world” – Gandhi.
Recognizing a Whaling attack and any other cyber threats starts with our desire to change and incorporate cyber safety best practices we can sustain in the best way. Indeed, we can’t avoid everything; nothing is 100% bulletproof. However, at the same time, so many cyber attacks happen due to us not paying attention to cybersecurity threats, living on auto-pilot, and just clicking here and there without thinking much. Unfortunately, I was like that before my identity theft nightmare, living distracted and unaware of most in front of me.
When the Be I AM framework came into my life, everything changed. I now have the most powerful tool that brings me Peace of Mind, whether online or offline.
I invite you that every day, in every way you interact with technology, you activate to Be I AM. Be Intentional, Aware, and Mindful.
How to use the Be I AM to prevent a Whaling attack?
Be Intentional – Set your intention and purpose for how you will interact with technology. For example, when you receive an email or text message, are you the kind of person that takes action without much thinking? Or would you pause and ask yourself a few simple questions before taking action? Like who is this person sending the message? Does the information make sense?
Be Aware – Emails and text messages contain clues and red flags about the person writing you. Be aware of them and realize they could be Cybermonsters in disguise. Check out the subject line and the content of the message. Is there a sense of urgency? Why are they writing to you? Be aware of what’s in front of you, online or offline.
Be Mindful – Stay present and implement security practices that will give you more confidence as you navigate your cyber world. For example, are you using multi-factor authentication or a second verification method to protect your login credentials and resources? Are you incorporating security awareness training for yourself and your employees, teaching them about cyber safety practices that are simple to adopt? Are your executives and administrative assistants engaged in constant practices that allow them to stay alert and mindful about spear phishing emails and social engineering techniques tailored just for them?
If you want to know more about how to Be I AM, I invite you to watch my TEDx Talk video so that you can incorporate the Be I AM cyber awareness practice and have Peace of Mind Online!
You may also like: – What is Cybercrime? Cybercrime Definition | Sandra Estok