Whaling Attack

What is a Whaling Attack?

A whaling attack is a type of phishing scam – hence the name, which is a play-on-words. It involves scammers targeting someone high-up in an organisation (i.e CFO or CEO) in order to get them to unknowingly give up information, credentials or make a payment that could compromise the business that they represent.

By sending a highly personalised email to the target, the scammer hopes that they will open the email attachments which will then install and run malware on their computer. This malware could look for passwords, bank details, sensitive company information or other documents that could be valuable.

Whaling attacks succeeds in part due to the prevalence of social media and our extreme willingness to share details of our personal lives with the world. For example, a scammer might find out the name of a charity that is close to the heart of their intended target and send them an email that looks like it’s from that charity, asking for donations.

Or, let’s say a business announces on social media that they are shortlisted for a prestigious award. The scammer might write an email pretending to be from the award organisers asking the target to complete an attached form with more information in order to be in with a chance of winning.

Similarly, they may pretend to be a competitor business, past client, governing body, retail business, restaurant, family member or friend – whatever tactic they believe will most convince the target to open an email attachment.

How to protect your business from whaling attacks

Firstly, implement a set of social media guidelines for all important staff who may be targeted as part of a whaling attack. Ensure their personal social media profiles are locked down so that only their ‘Friends’ can access sensitive information such as email addresses and telephone numbers. Ideally, profiles should be completely private to members of the public so that additional information such as charities supported, places visited or popular purchases are also hidden.

You should also make all staff members aware of the potential dangers of giving out personal information to strangers or people they don’t know personally. Even what seems like an innocuous snippet of business information, such as the name of the CEO, email address of a manager or even something like the name of the stationary supplier that the business uses can be helpful to phishers. Train your staff about what information they are and are not allowed to give out, whether face-to-face, over the phone, on social media or over email, and put systems in place to ensure these rules are complied with.

It’s also advisable to make staff aware of whaling attacks and the type of information that can be useful to a phisher. Once they are armed with that knowledge, they can be better prepared should anyone try to ‘phish’ them.

Finally, ensure all staff are aware of the potential dangers of opening file attachments from untrusted sources. Even if it appears that the email is from a trusted source, they should remain vigilant and check for suspicious looking files before opening them, for example .exe or .js files.