When it comes to fishing, it’s usually the bigger the better. The same is true in the cyberworld: when cybercriminals want to go big, they invest their time and effort into going after the executives at your organization… a technique known as whaling.
To put it simply, whaling (also known as CEO fraud) is spear-phishing against senior executives. You know, the ones who have all the access and influence. The corner office mafia.
Once cyber criminals compromise those whales, they often pivot to a technique known as business email compromise (BEC), where they impersonate the execs and carefully craft personalized emails asking employees to make large transfers or share sensitive data. They leverage the authority and influence of the person being impersonated to convince you there is no need to ask further questions about their request. P.S. your fear of questioning your boss is exactly what criminals take advantage of.
To make their requests even more believable, cyber criminals use legitimate looking logos and links and incorporate them in their emails. They also make use of information about their targets they find on social media. It can be a photo from a wedding you attended last weekend or a post where you mentioned having fun at team building drinks last evening. Those are enough for a cybercriminal to compose an intro saying: “hope the party last weekend was great!” which makes their email look that much more credible.
How to protect yourself against whaling
Given the highly personalized character of whaling and business email compromise, whaling can be difficult to spot. But it’s not impossible. Here are some things you and your organization can do to spot the biggest phish in the sea...
- Train up. Simply being aware of cyberthreats and knowing how to spot them is the place to start. Want to learn more about phishing, spear-phishing or BEC? Hit us up at firstname.lastname@example.org.
- Look for telltale signs. Watch out for spoofed email addresses and display names, grammatical mistakes in the text and always hover your mouse over addresses or links to reveal what could be hidden there.
- Be careful on social media. Facebook and Twitter are great fun but remember this is also the place where cybercriminals get information about you which they can use later. Keep your profiles private, be careful about what you post there and remember that all info published on the Internet may be seen by those who are keen to steal your property.
- Mark external emails. Marking external emails so that you can clearly see whether they are coming from within or outside of our organization is a great way to spot spoofing attempts. However, if the executive’s account is truly compromised, it would not be marked as ‘[external].” Speak to your IT department about how you can distinguish between the two.
- Confirm unusual requests by phone.When you receive an email asking you to do something out of ordinary, get in the habit of making a phone call to the sender to verify if the request is really valid. A second form of verification could save you from a data breach.
- Think about your processes. Given how clever cybercriminals are, it may be wise to rethink your processes and see whether you could add another level of validation when there is a need to release sensitive information or authorize a large transfer. SOPs can be super NEAT if you make them with cybersecurity in mind.
Whaling is big and very profitable for cybercriminals. But don’t get intimidated by the big phish. They aren’t so scary when you know what to look for!