More: What is a Double VPN — and why you should use one
What is whaling?
Whaling attacks are a type of fraud cybercriminals use to trick specific people in organizations into sharing private information, with the aim of gaining access to their online accounts and stealing money. The key difference is the target these threat actors go for, which are usually senior roles in companies such as senior executives. Similar to phishing attacks, the attacker will send emails or messages to a specific target in an attempt to earn their trust and trick them into sharing personal information, showing confidential company information, or doing specific actions. Cybercriminals will do extensive research about a company in order to gain the trust of individuals. This can be anything from a recent event posted on social media or the CEO announcing a deal that is now publicly known. This is all to make an email sent more believable, and the cherry on top is who the threat actor impersonates. Attackers will often pose as someone important or high-ranking in the organization, such as a CEO or even a manager. This gives the messages sent a sense of seniority, meaning staff under these positions are more likely to comply with actions stated in an email. This is where the term “Whaling” comes into play, as threat actors will act as the “big phish” in order to trick specific individuals with financial or personal information about the company and its employees. It’s a more sophisticated level of social engineering than the average phishing attack, and anyone in an organization should keep an eye out for suspicious emails.
How to avoid whaling attacks
Whaling attacks aren’t uncommon. As cybersecurity company Kaspersky (opens in new tab) points out, Snapchat was a target when a fake email was sent from the “CEO” asking for employee payroll information. What’s more, toy company Mattel nearly lost $3 million after an attacker impersonated the new CEO and sent an email to a finance executive, asking for a money transfer. While whaling tactics often target leading positions, anyone at a company could fall victim if they have the right information or contacts. However, there are still revealing signs that an email is fraudulent, no matter how convincing a message can be. One way to defend against whaling attacks is to check the email address and name. While these malicious emails can look convincing, often using official company logos and format, you can hover the cursor over a name to show the full email address. Compare this to a common company email address, keeping an eye out for random hyphens ("-"), underscores ("_"), additional “.co,” or simple spelling mistakes in the company name or user name. Another way is to check the message itself. If you weren’t expecting to send information to this particular colleague, have never been contacted by them before, or if the message specifically asks for personal or financial information for unnecessary means, then be cautious before sending anything. Ask another colleague if the message asks for legitimate information. Also, be aware of how the message is worded. There could be minor spelling errors or a difference in how the sender usually words their emails. What’s more, they could reference a recent social event that was posted online or information that is known through your social media profiles such as a holiday or social event. It can be tricky to spot a whaling email, especially when it comes from someone with an important title. However, IT departments will often have anti-phishing software in place to flag suspicious emails. If something doesn’t seem right, it’s a good idea to contact your company’s IT department for further insight. Whaling attacks are a nasty scam tactic, but there are other methods cybercriminals use to steal personal or financial information. To keep yourself protected, find out the difference between spyware and stalkerware.