Your high-ranking employees are gatekeepers to a treasure trove of sensitive information about your company. Hidden deep inside your figurative data castle are things like employee social security numbers, corporate bank account information, and customer credit card numbers. Things that, in the wrong hands, could compromise the integrity of your brand and/or cost your company millions of dollars. And all it takes is for one person to get caught napping.
Like the experts in any other industry, cyber criminals are constantly learning and evolving. One of their most intricate schemes to date is the whaling attack, in which they attempt to impersonate you or one of your executive officers, and scam your employees.
Even as you read this, a would-be Captain Ahab is plotting his next ultra-sophisticated whaling attack — and you’re as good a target as any. Here’s an FAQ-style guide, with everything you need to help you spot that attack in advance, and stop the harpoon dead in its tracks.
What is a whaling attack?
A whaling attack, (also known as whaling phishing) is a carefully-crafted phishing scam in which an impostor masquerades as a high-ranking executive within your company, with the intent of tricking your employees into wiring them large sums of money or revealing confidential information.
How is a whaling attack different from a phishing attack?
All whaling attacks are phishing attacks, but not all phishing attacks are whaling attacks.
Phishing attacks have been around for a quarter century now. In the mid-nineties, the term was exclusively used to describe hackers who sent out email blasts as “lures” in order to “phish” for passwords and credit card numbers from AOL users.
Nowadays, it’s more broadly defined as any internet scam in which someone tries to reel in sensitive information through deceptive means. Take note: if you can fall for your uncle’s prank, you can fall for a phishing scam.
While these scams typically cast a broad net (and have relatively low success rates), a variant known as spear phishing attacks involve a personalized approach to target a single user. The majority of them use social engineering to stoke the victim emotionally.
Whaling attacks fall under that category, but in these cases the “spear” is thoughtfully designed with the idea of hauling in a much larger prize.
How do whaling attacks work?
Whaling social engineering is incredibly intricate; the criminal will typically go to great lengths in order to make their impersonation of a C-suite executive seem hyper-realistic.
Most commonly, they’ll do in-depth research on a) their target within your organization, and b) the superior they’ll be impersonating.
The latter is tricky, but by using a similar email domain and incorporating company logos and email signatures, they can create a Halloween-worthy digital disguise. Other times, they might use a regular Gmail address and claim to be sending the message from their “personal account”.
As for the target, it’s usually not difficult to look through an employee’s Facebook, find a photo from a post-work happy hour, and incorporate details that “only that executive could know”.
Even if a few red flags make your employee put their guard up, the scammer can often compensate for that by preying on things like trust, urgency, or the fear of losing their job if they don’t comply.
What’s the worst that could happen?
Ask Snapchat, who fell victim to a whaling attack in 2016. An HR rep in the social media giant’s organization forked over payroll data that revealed the personal information of several employees, including stock option data and everything listed on their W-2’s.
Barely a month later, a finance exec at Mattel wired $3 million to a Chinese bank after getting email instructions from “the new CEO”.
Those scams might even be considered small potatoes compared to some larger-scale attacks that have cost companies tens of millions of dollars. Even worse, they lost a lot of consumer confidence as a result of being so easily compromised.
Okay, so how can I prevent this from happening?
Like a kid going out to play in the mid-January snow, you’ll need several layers of protection. Follow these tips, and you’ll make yourself less vulnerable to the flurry of whaling attacks happening every day.
Educate your executives and employees
Most people think of phishing scams as highly-flawed and easy to spot, so they might be entirely unsuspecting of meticulous whaling social engineering. Start by letting your team know that these scams exist!
Then, train them
Helping your team learn to spot the warning signs of a whaling attack can end up saving you millions. IT-savvy companies like Marco can even simulate a surprise attack to help you determine how susceptible your employees are.
Flag emails outside of your network
This is an incredibly simple and effective way to expose spoofed email addresses. The difference between “@smithlenses.com” and “@smith1enses.com” might be hard to spot in a certain font, but showing that the email is out-of-network will raise an alarm.
Set up whaling prevention protocols
Some great examples of this include verifying requests for sensitive information through other channels, such as a phone call. Forcing another person to sign off on these requests is also a great idea — it’s harder to scam two people than one.
Invest in DLP software
Data Loss Prevention (DLP) software can block violations of the protocols you’ve put in place. It can also flag emails based on the name and age of the domain (new domains are more suspect), similarity of the display name to known contacts, and suspicious keywords such as “wire transfer”.
Have employees make social media profiles private
Setting employee LinkedIn and Facebook profiles to be visible to friends only will make it harder for random scammers to gain access to their personal information, and use it as part of a whaling attack.
Keep your guard up
The only way to prevent whaling attacks is to prepare for them as diligently as possible. Getting a little help from a company like Marco right now could save you millions of dollars and a whale-sized headache down the line.