How to deal with Whaling as a Cyber-Security threat

The practice of phishing as a means for cyber-criminals to obtain sensitive information from an online user is rife. Usernames, passwords and credit card details are all at risk, with the theft of money often the ultimate goal of the hacker. The most common method of phishing is for the criminal to send out an email that gives the impression that it has come from an official source. This email will likely have a link that leads to somewhere harmful, or an attachment that has malicious intent when opened.

A very similar concept to phishing, and one that retains the aquatic theme, is whaling. Performed in much the same way as a phishing attack, whaling is nevertheless far more focused on specific individuals of value as opposed to mass exposure. These individuals are likely to be high profile employees of a business, those with highly valuable information to obtain. They will be ‘The Big Fish’ of the organisation, hence, of course, the name.

The slight nuance to whaling is the way in which the employees are approached. Whereas simple phishing victims will receive emails from supposedly trustworthy organisations, whaling relies on finding out who a person’s supervisor is within the company, and then sending an email asking them to perform an action. If the CEO or Managing Director of your company requires something, even if it is the transfer of funds, it is highly likely that it will be obeyed, leaving you vulnerable.

The attraction of whaling is that it targets individuals with powerful positions or titles. This close proximity to the top decision makers makes it all the more likely that the employee will obey a direct instruction coming via email, without truly questioning the source. Whalers will not restrict themselves to just impersonating CEO’s though. They will also, if a vulnerability is found, look to hack into the networks where the influential individual stores their data. From here they can enable key-logging, to track the user’s actions, or simply unleash malware onto the system.

As with all potential risks to cyber-security, it is a combination of robust, regularly updated antivirus software and constant vigilance and training that will keep businesses safe. If there is an attachment involved that seems suspicious, then protection software can block it from entering your system. There are always loopholes though, so make sure your software is always up to date, and that all vulnerabilities are patched.

It is also important to encourage your employees to challenge all correspondence they receive. This will ensure that they don’t blindly obey. Have processes in place that ensure that individuals within the company can always be sure that the email they receive is from the recipient it says it is. Above all, train them to identify exactly what clues there are to unearthing a fraud.

For more help on whaling, and how to keep your high profile staff safe, speak to Digital Pathways today.

What will the General Data Protection Regulation mean to the UK post Brexit?
What the GDPR means for businesses