In the past few months, the recent wave of ransomware attacks has everyone on their toes and checking for gaps in their cyber-security infrastructure. Firewalls are being updated, defensive policies have been redesigned and network monitoring has been implemented, and regular backups are being taken. In other words, companies are doing everything it takes to protect their networks from invasion, corruption, and theft but malware isn't the only kind of malicious technique being used by 'black-hat' hackers, and they're not always after your data. Ransomware may seem like a revolutionary way to get money out of big businesses, but hackers have been using pure research and deception to the same end for decades. While your company is busy shoring up firewalls, you could get Whaled without a single piece of malware entering your network.
What is a Whaling Attack?
The term 'Whaling' is a joke based on the initial hacking method known as 'phishing' in which a hacker sends an email from an apparently trusted source like a friend or coworker in order to either obtain private information or entice their victim to open a malicious file that installs malware on their computer. Whaling, on the other hand, targets 'bigger fish' by impersonating an executive of a company to one or more of their subordinates. The targeted employees, eager to please their boss's boss, can then be tricked into performing harmful requests like transferring money or sharing sensitive company or even client data. Fortunately, all it takes is awareness and a few simple steps to protect your company, executives, and employees from this deceptive attack.
Detect Spoofed Email Domains
The primary method of phishing and whaling is the spoof email address. This can look almost exactly like the email address of the person a hacker is impersonating but with one or two changed characters, often near the end. They do this by purchasing a domain to send the emails from then creating an account with the same name and even the same apparent meta-data so that the spoof email appears as close to genuine as possible. An example might be spoofing a real address of "email@example.com" to "firstname.lastname@example.org". Can you spot the difference? Fortunately, you don't have to because your IT security team can help you set up defensive email software to detect these spoofs.
Keep Personal Lives Private
Another way that whaling can fool employees is by using personal information and personality markers like the way an executive speaks and even references to existing relationships as 'proof' that an email is genuine, even if it appears to be coming from a 'separate personal email' rather than the company account. This is unfortunately done quite easily simply by researching the public social media presence of executives and the more personal life is shared, the easier it is to borrow their identity. To prevent this, try to limit the amount of open public exposure your executives share of their personal lives and coworker relationships.
Always Double-Check Executive Requests
Some requests, like non-standard money or information transfers, should never be taken lightly. As with classic forms of cyber-security like scanning downloads, it's best to assume that every unusual request from an executive could be a whaling attack. In order to avoid falling into the trap, even if the email says immediate action is required, always have a double-confirm system in place involving more than one form of communication. A simple phone call or personal visit to ask if the exec making the request did so legitimately can save thousands of dollars and possibly even prevent lawsuits.
Educate the Entire Staff
Finally, when it comes to whaling the best defensive strategy is a complete one. Because whaling can target any employee in the hierarchy, from mail room clerks right up to requests made to other business executives, educating the entire staff is the only way to ensure that no one falls for the trick should it ever occur. Include the basics in orientation, hold a special meeting, and even send regular news-letter reminders to employees to stay on their toes in order to help everyone hold the line against deceptive whaling attacks.
For more helpful IT security tips and tricks, contact us today!