Whaling Attacks and How to Prevent Them
A whaling attack is a clever little play on words that has its roots in phishing.
You have no doubt heard the term phishing before. Phishing is when someone emails, calls, texts, or uses another communication channel to contact a person, pretending to be someone else, generally with authority, or sometimes pretending to be someone you know.
The aim of the communication is to try and get the person on the other end to perform some action. This might be sending through a payment, downloading a piece of software, or revealing personal information.
You will have come across these before. Someone with a strange accent calling your house purporting to be from Microsoft, wanting to instruct you have to remove a virus on your computer. The recent emails sending people to a fake MyGov site to steal their details.
Phishing attacks can target anyone. The little old lady down the street to your second cousin working for a big bank in London.
What is a Whaling Attack?
Whale attacks are targeted phishing – going after the whale. If you’ve ever watched any of the Ocean’s 11 movies, then you’ll know what the whale is – the high roller at the casino. In a whaling attack – it’s phishing for high-level individuals at a company, such as the CEO or the accounting manager or those who have high-level security access to company systems.
These whaling attacks are generally more sophisticated than phishing attacks and harder to spot. The communication might look like it’s an internal email sent from purchasing seeking to fast-track an overdue payment. It might be a phone call pretending to be someone from your data centre asking you to perform a series of tasks to ensure backups are working as expected. It may involve communications from “a number of people” in the pipeline, such as a lawyer, an accountant, and a vendor. They easily mimic real-life high-level business interactions.
Whaling attacks are clever because these people expertly analyse your business and interactions to be able to make their attempts appear legitimate, friendly, high-level and urgent. This type of social engineering isn’t for dim-witted crims, which means that even the savviest companies may be at risk.
The Effects of Whaling Attacks
The effects of whaling attacks can be devastating.
An accountant from a French firm was made to believe her CEO urgently needed €500,000 to purchase a business in Cyprus, and transferred the funds within a few hours.
A Lithuanian man went so far as creating a company with the same name as an Asian computer hardware manufacturer that dealt with tech firms to defraud Google and Facebook of over $100m USD.
But it’s not just money that these cybercriminals are always after. Corporate espionage to capture proprietary data for market advantage is real. How valuable is your company IP to others? Even others overseas?
What if a whaling attack managed to install targeted ransomware on your most critical systems leaving them inoperable? Would you be able to pay the price? And what if the ransomers didn’t deliver on their promise to unlock your systems?
How to Prevent Against Whaling Attacks
Whaling attacks can be prevented if you know the signs to look out for and practice vigilance in your system’s security.
Here are some measures you can put in place to avoid being a victim.
A dedicated and knowledgeable security expert on staff
Employing a dedicated cybersecurity professional is the ideal way to keep on top of all your security threats. This individual will be able to set up systems to capture possible threats before they reach individuals (such as email quarantining), develop and implement security training packages for staff, and design repeatable processes to follow if scams are suspected.
Of course, many businesses don’t have the resources to employ a FTE. A security consultant may be engaged for a period of time to help initialize security, or you may instead outsource this role.
Regular staff security briefings and training
The best line of defence is educating your team on what to spot to avoid being the victims of a scam in the workplace. While they may be well aware someone from Microsoft won’t be calling their home phone, receiving a legitimate-looking email from a known vendor isn’t likely to trigger warning bells. Conducting regular training sessions with real-life examples can help keep staff alert and informed.
2FA across the board
Two-factor authentication is often used for passwords: when logging in, it’ll also require a code sent via SMS, or some other means. The human equivalent is the two-man rule. This means that you’ll need at least two (authoritative) people to be present and approve things like large transfers, access to secure systems, etc. While the first person may not catch an attempted whaling attack, the more eyes on the situation, the more likely someone is to realise that something isn’t quite right.
Using managed services for your systems infrastructure
For SMEs, sometimes you simply don’t have the resources or expertise to ensure ongoing systems security across your infrastructure. Managed service providers, like A1 Technologies, allows you to put systems management in the hands of the experts instead – who are well versed in systems security, access controls, and can even create complex email rules to prevent attacks. Doing systems security internally can be a costly exercise and takes resources away from doing your core business.
If you come across what you believe to be a whaling attack, make sure to contact both your head of security, as well as Scamwatch, the Australian government initiative to the prevention of scams.
And if you’d like to chat more about systems security and how we can help secure your systems, then make sure to get in contact with us.
Subscribe to our newsletter
Enter your email and stay in touch with the latest updates from A1.
You might also like…
- Microsoft Security Defaults for Azure AD Managing workplace users and their access to systems and applications is made easy with Microsoft Azure Active...
- Love AWS? We do too! It’s been a while since we’ve done a news update on everything exciting happening over at AWS, so...
- One of the questions we often hear is “Which productivity suite is better for security? Office 365 or G Suite?”, or even “Isn’t...