A whaling attack is a clever little play on words that has its roots in phishing. Phishing is when someone emails, calls, texts, or uses another communication channel to contact a person, pretending to be someone else, generally with authority, or sometimes pretending to be someone you know.
These highly targeted cyberattacks are aimed at high-profile individuals within organisations, often seeking sensitive information or financial gain. The aim of the communication is to try and get the person on the other end to perform some action. This might be sending through a payment, downloading a piece of software, or revealing personal information.
You will have come across these before. Someone with a strange accent calling your house purporting to be from Microsoft, wanting to instruct you to remove a virus on your computer. One example is an email sending people to a fake MyGov site to steal their details.
Phishing attacks can target anyone. The little old lady down the street to your second cousin working for a big bank in London. In this article, we’ll delve into what whaling attacks are, their effects, and most importantly, how to prevent them using specific Microsoft products and solutions.
What is a Whaling Attack?
Whaling attacks, also known as CEO fraud or executive impersonation attacks, are a specialised form of phishing. If you’ve ever watched any of the Ocean’s 11 movies, then you’ll know what the whale is – the high roller at the casino. In a whaling attack – it’s phishing for high-level individuals at a company, such as the CEO or the accounting manager or those who have high-level security access to company systems.
Unlike regular phishing attacks that cast a wide net, whaling attacks are carefully crafted to deceive high-ranking individuals like CEOs, CFOs, or other top executives. Cybercriminals meticulously research their targets to create convincing messages that appear to come from a trusted source, often someone within the organisation.
These whaling attacks are generally more sophisticated than phishing attacks and harder to spot. The communication might look like it’s an internal email sent from purchasing seeking to fast-track an overdue payment. It might be a phone call pretending to be someone from your data centre asking you to perform a series of tasks to ensure backups are working as expected. It may involve communications from “a number of people” in the pipeline, such as a lawyer, an accountant, and a vendor. They easily mimic real-life high-level business interactions.
Whaling attacks are clever because these people expertly analyse your business and interactions to be able to make their attempts appear legitimate, friendly, high-level and urgent. This type of social engineering isn’t for dim-witted crims, which means that even the savviest companies may be at risk.
The goal of a whaling attack can vary but typically includes:
Financial Fraud: Whaling attacks often aim to trick executives into making financial transactions, such as transferring funds to fraudulent accounts or purchasing gift cards.
Data Theft: Attackers may seek access to sensitive company data, customer information, or intellectual property, which they can then exploit or sell on the dark web.
Reputation Damage: In some cases, the attackers may attempt to tarnish the reputation of the targeted executive or the organisation by sending false or damaging communications.
The Effects of Whaling Attacks
The effects of whaling attacks can be devastating.
In 2020, an Australian hedge fund fell victim to a whaling attack, resulting in a staggering loss of over $8.7 million and consequently led to its closure. Attackers were able to take control of its email system and send off bogus invoices and also authorised transactions to execute a series of transfers overseas.
An accountant from a French firm was made to believe her CEO urgently needed €500,000 to purchase a business in Cyprus, and transferred the funds within a few hours.
A Lithuanian man went so far as creating a company with the same name as an Asian computer hardware manufacturer that dealt with tech firms to defraud Google and Facebook of over $100m USD.
But it’s not just money that these cybercriminals are always after. Corporate espionage to capture proprietary data for market advantage is real. How valuable is your company IP to others? Even others overseas?
What if a whaling attack managed to install targeted ransomware on your most critical systems leaving them inoperable? Would you be able to pay the price? And what if the ransomers didn’t deliver on their promise to unlock your systems?
How to Prevent Against Whaling Attacks
Whaling attacks can be prevented if you know the signs to look out for and practice vigilance in your system’s security.
To defend against these attacks, a combination of cybersecurity education, email authentication, advanced threat protection, multi-factor authentication, encryption, and security monitoring is essential. Microsoft offers a suite of products and solutions that can fortify your organization’s defenses and minimize the risk of falling victim to whaling attacks.
Here are some measures you can put in place to avoid being a victim.
A dedicated and knowledgeable security expert on staff
Employing a dedicated cybersecurity professional is the ideal way to keep on top of all your security threats. This individual will be able to set up systems to capture possible threats before they reach individuals (such as email quarantining), develop and implement security training packages for staff, and design repeatable processes to follow if scams are suspected.
Of course, many businesses don’t have the resources to employ a FTE. A managed security service provider or security consultant may be engaged for a period of time to help initialise security, or you may instead outsource this role.
Regular staff security briefings and training
The best line of defence is educating your team on what to spot to avoid being the victims of a scam in the workplace.
Conduct regular security awareness training for employees, including executives. Microsoft provides resources like the “Cybersecurity Awareness” program to educate users about the latest threats.
While they may be well aware someone from Microsoft won’t be calling their home phone, receiving a legitimate-looking email from a known vendor isn’t likely to trigger warning bells. Conducting regular training sessions with real-life examples can help keep staff alert and informed.
MFA across the board
Multi-factor authentication (MFA) is often used for passwords: when logging in, it’ll also require a code sent via SMS, or some other means. The human equivalent is the two-man rule. This means that you’ll need at least two (authoritative) people to be present and approve things like large transfers, access to secure systems, etc. While the first person may not catch an attempted whaling attack, the more eyes on the situation, the more likely someone is to realise that something isn’t quite right.
Email encryption, authentication, filtering & threat protection
Implement DMARC (Domain-based Message Authentication, Reporting, and Conformance) to prevent email spoofing and protect against domain impersonation. Microsoft 365 offers DMARC support to enhance email authentication.
Microsoft 365 Defender also provides advanced threat protection against phishing, malware, and other email-based threats. Configure anti-phishing policies to detect and block whaling attacks before they reach the inbox.
You can also use Azure Information Protection to encrypt sensitive emails and documents. This ensures that even if attackers gain access to the content, it remains protected.
Security monitoring and incident response
Consider implementing Microsoft Sentinel, a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution. It helps detect and respond to security incidents in real-time.
Using managed services for your systems infrastructure
For SMEs, sometimes you simply don’t have the resources or expertise to ensure ongoing systems security across your infrastructure. Managed service providers, like A1 Technologies, allows you to put systems management in the hands of the experts instead – who are more well-versed in systems security, access controls, and can even create complex email rules to prevent attacks. Doing systems security internally can be a costly exercise and takes resources away from doing your core business.
If you come across what you believe to be a whaling attack, make sure to contact both your head of security, as well as Scamwatch, the Australian government initiative to the prevention of scams.
If you’d like to chat more about systems security and how we can help secure your systems, then make sure to get in touch with us.
Subscribe to our newsletter
Enter your email and stay in touch with the latest updates from A1.
You might also like…
- Enhancing productivity in the workplace frees up more time for employees, which means you can do more with less resources – something everyone...
- In today’s data-driven world, managing and governing data is crucial for businesses to remain compliant, secure, and efficient. Microsoft Purview, a unified data...
- At the forefront of collaborative technology, Microsoft Loop offers a seamless integration of familiar Microsoft 365 tools, such as Word, Excel, and PowerPoint,...