Avoid the Latest Enterprise Security Threat: ‘Whaling’

There’s a new kind of threat to your enterprise, under the phishing and spam umbrella, and that danger is referred to as whaling. Specifically designed attacks target your most valuable team members, the boardroom executives, and infiltrate your enterprise to a scary extent. How can you avoid whaling? Read on for our cyber security threat briefing.

What is Whaling?

No, we don’t mean there is actual whale hunting going on in the tech world–we’re more so talking about the concept. According to Techopedia, “Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles.”

Whaling is one type of phishing attack where a scammer poses as a trusted party to encourage a user to open a malicious website or attachment. In most phishing attacks, an attacker broadcasts an identical email to thousands of recipients and waits for responses to trickle in. A portion of phishing attacks are spear phishing focused on a specific individual; a whaling attack is spear phishing attack that focuses on a high-level manager or executive. Despite the differences, some security experts do not distinguish between spear phishing and whaling. 

Spam Emails from Executives Pose a Greater Threat

Anti-phishing company, PhishMe, found that more than one in five workers responded to spoofed office communications and fake emails about finances and contracts, including fake “File from Scanner” messages. That response rate is likely to be much higher for highly personalized email that appears to come from an executive. The response rate for other types of corporate phishing such as IT-related emails was between 10 and 18 percent.

According to an FBI alert, “The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.”

Adding to the confusion, whaling emails are not likely to be caught by spam filters because they appear to be normal business communication. That’s where the following security tactics come into play.

How Your Organization Can Avoid Whaling

The first step to avoiding a whaling attack is to identify likely targets at your organization, including the CEO, the finance team, those with high levels of financial or system authority and those with access to the enterprise’s most prized proprietary information. Immediately notify the whaling targets that they may receive highly-personalized phishing emails and that the security team is calculating an appropriate response including policies, training and technology.

1. Implement Proper Education and Training

Here are some best practices that can be used for employee education and training on avoiding a whaling attack:

• Be suspicious of any unexpected email, especially if it requests an urgent wire transfer of funds
• Always check the sender’s email address (The domain for a spoofed email may differ by as little as one letter)
• Confirm the legitimacy of important emails by talking to the email sender either in person or by using a known telephone number rather than the number shown in the email
• Never reply to the suspicious email until the legitimacy of the email is confirmed
• Inform employees about how attackers use information posted publicly on social media, both business and personal, and educate them about the available security and privacy controls on each social network
• Encourage employees to never use their work email address for shopping and other personal matters
• Do not enable macros except for internal and known documents
• Employees should forward potential whaling and phishing emails to the IT security team through a monitored email alias, rather than forwarding it to an individual team member (i.e. IT@yourdomain.com)

2. Employ Suggested Technology Solutions

Enterprises can practice phishing simulations run by PhishMe or PhishLabs to test employee susceptibility to scams. PhishMe found about 35 percent of highly-susceptible employees fall for the first phishing simulation; that rate is reduced by half for each subsequent test until the response rate is near zero by the fifth simulation. In addition, you can employ the following technology solutions to protect your enterprise:

• Anti-phishing technology
• Monitoring and intrusion detection technology
• Proper network segmentation and other measures that prevent an attacker from moving across the network once access is achieved
• Two-factor authentication (such as combining a password with a generated number token or fingerprint) for email—at least for executives—to lower the risk of direct scammer access to internal email accounts
• New anti-phishing technology that relies on user reporting of phishing emails in order to protect other users

Whaling may be a frightening new way for attackers to get ahold of precious data, but it is also easily avoided. For more information on how you can protect your organization from phishing scams, malware and other attacks, contact WEI today.