Whaling is the newest and most insidious practice in the hacker arsenal, also known as spear phishing or whale phishing, and it is costing victim organizations billions. Unlike the wide net cast by phishing scams, whale phishing targets specific organizations, individuals, or groups of individuals such as the c-suite — a corporation’s most important senior executives — at an organization. Whaling (or “going after the big fish”) is a social engineering scam designed to “trick” a CEO or other individual into clicking on malicious attachments or URLs. What can your organization do to protect itself from whaling?
- Be Wary of Fake Emails – With more than 112 billion business emails being sent daily, a fake or “spoofed” email has a good chance of slipping by most users. Hackers are skilled at designing a spear phishing email to look legitimate by embedding the real company logo, for example of a bank, and sometimes even using the person’s real name (versus “Customer”). According to Verizon’s Data Breach Report, the main perpetrators for phishing attacks are organized crime syndicates (89%) and state-affiliated “actors” (9%) who can “put some thought into the ruse they use.” It is important for users to not react quickly to any email that has a call to action such as downloading a document, clicking on a link, or sending funds.
- Secure Your LinkedIn Account – LinkedIn is especially useful to hackers because they can gather information about CEOs and their direct reports. One scam fakes an email from a CEO to one of his or her employees, directing him or her to release funds immediately by following instructions in the email. Rather than question the authority of the “big boss,” the employee most often dutifully and immediately does what is asked. Securing your LinkedIn account is a necessary step in keeping your organization secure.
- Hover Your Cursor to Cover Yourself – Be sure to hover your cursor over a link in any email, suspicious or not, to see where it is really going. If it is a sophisticated whale phishing scam, the link that displays may even have the name of the bank or other organization in it, but don’t be fooled. Call the bank directly if you are unsure and report it to your IT department.
- Secure Your Mobile Devices – In the era of BYOD (Bring Your Own Device) it is imperative that you have a compliance program in place that secures your employees’ use of mobile devices. With an ever-increasing array of smartphones, tablets, and other mobile devices accessing your company network on a daily basis, be sure to put a mobile device best practice plan in place.
- Sandboxing – Make sure your cyber security strategy includes a sandboxing component to quarantine a malicious code should a user click on an infected link or document. If this happens and sandboxing is deployed on your network, the infected file or website gets scrutinized first in the sandbox, which could stop the attack in its tracks. However, be careful here. Hackers have been known to hide themselves, operating in stealth mode, to avoid detection in the sandbox. Make sure you have the latest methods of protection, such as next-generation firewalls, that have more sophisticated sandboxing methods.
It Starts with People
Whaling and other phishing scams are successful only if the human behind the computer falls for it. Company-wide education is an absolute must, but be sure to have a separate focus group just for your c-suite team, and employees who reside in IT or finance departments. These individuals have access to your data, networks, and financials, making them the most attractive “fish” to target.