Censys: The World of Attack Surface Management
Whaling might sound like a silly term, but the reality of it is no laughing matter. A subset of phishing attacks (lots of nautical-esque terminology happening here), whaling is a threat that makes a beeline for high-profile employees.
Whaling attacks target CEOs and high-ranking executives, as these employees often have complete access to confidential information. Such information includes financial or personal details about their workforce or customer data, both of which can be sold on black markets. Not only that, but attackers may also wish to get their hands on the company's intellectual property for their personal gain.
The methods of doing so are often through email trickery, getting the recipient to either divulge confidential information or visit a malicious website that is pretending to be legitimate. Furthermore, sometimes the emails will have a link that, once clicked on, installs malware to infect their victims for their information.
The term 'whaling' itself derives from the size of the attacks. In particular, the whales are the 'big fish' that the malicious actors target.
These attacks tend to be much more difficult to detect than phishing attacks. This is partly due to the fact that we have become particularly familiar with phishing, which often manifests as an urgent email from Netflix or tax authority. Thus, we are much better at thinking twice or calling customer support if unsure.
Whaling is similar to phishing in that it coerces people under the guise of urgency. However, identifying them is much more difficult. Usually, the attacks are tailored to the target. Malicious actors will put more effort into the attack by using social media to gather personal information about their target. It's also worth their while to spend time on it, given how high the potential of return is. Furthermore, the email or website spoofing often uses logos and phone numbers to feign legitimacy. As a result, they are more believable.
Don't give in to the bait
Security training for corporate management staff is a double-edged sword. On the one hand, it's important (and obvious) for corporate staff to be aware of the threat. However, attackers know that high-ranking corporate staff undergo this training. In turn, this compels them to think outside the box and find new ways to manipulate.
To mitigate the threat, you should firstly encourage senior management to make their social media profiles as private as possible. This way, attackers cannot use personal information such as hobbies as part of their attack strategies.
Furthermore, you should implement a process where all members of your organisation must verify requests – especially those with urgency. So, if an employee receives an email from the "CEO" asking that money be transferred immediately, they should know to pick up the phone and verify this. It doesn't have to be the phone, of course; any other communication channel will do.
Also, you should run phishing awareness workshops and then conduct simulations. If you do so on a regular basis, your employees will be more alert. Finally, and perhaps most importantly, you need a data loss solution in place. This will stop any unauthorised data transfers and is a necessary last line of defence.
Want to know more about data? Check out this piece on data gravity.