Organisations have a hard enough time preventing phishing attacks, but they are now facing a surge in a subcategory of phishing known as ‘whaling’. According to cyber security provider Smarttech 247, the number of whaling attacks tripled in 2017, with companies of all sizes being targeted.
Whaling works in much the same way as phishing, but it is specific to the workplace, with criminals either imitating or exploiting the CEO’s email address to send bogus messages to senior staff. These emails typically take the form of urgent requests for sensitive information.
Cyber criminals put a lot of effort into making whaling emails seem legitimate, as the scam offers the potential for much more lucrative rewards than standard phishing campaigns. The crooks often gather information about the CEO in advance, looking them up on social media or profiling the target organisation’s company information. They might also take care to replicate distinctive characteristics of the CEO’s emails, such as their writing style and the font they use.
This can easily fool the recipient of these messages, as their attention might immediately turn to the need to please their boss rather than to question the validity of the email. Even if they did suspect that the message was bogus, they might be afraid to query it with their boss, particularly (and as is often the case) if the message is labelled ‘urgent’.
If employees were more aware of how prevalent whaling is, they might be more inclined to take heed of their initial doubts or become more adept at spotting fraudulent emails.
Preventing whaling attacks
Technology can help detect phishing and whaling emails, but fraudulent messages will inevitably pass through spam filters occasionally. Once that happens, the organisation’s security is in the hands of its employees. It’s therefore essential that everyone in the organisation can spot phishing scams and respond appropriately.
Whaling might not include the blatant red flags of a phishing email, such as messages addressed to ‘loyal customer’, but no matter how believable a cyber criminal’s message is, it will always contain clues that point to its true nature. You can learn how to identify those clues with our Phishing Staff Awareness Course.
This online course explains everything you need to know about phishing, whaling and other forms of attack, covering how they work, how to spot them and how to avoid falling victim.