Don’t Get Harpooned by a Whaling Attack

By: Krista M. | Cyber Threat Intelligence Analyst, NJCCIC

Unlike phishing attacks which cast a wide net in the hopes of catching as many victims as possible, whaling is a term used to describe carefully crafted emails designed to target or spoof specific people within an organization – usually top level executives, upper management, and other corporate decision-makers. The intent is to entice the target to click on a malicious link, open an infected attachment, or perform other actions such as transferring money to unauthorized individuals. According to recent survey results published by Mimecast, 55 percent of organizations in the US, UK, South Africa, and Australia saw an increase in whaling attacks over the past three months. 72 percent of those attacks came from scammers pretending to be the target organization’s CEO, and 36 percent posed as the CFO.

When tailoring a whaling email, scammers try to be as convincing as possible, often performing extensive reconnaissance on both the target and the organization before attempting contact. They will often scour the target’s social media profiles to collect as much personal information as they can. LinkedIn, Twitter, Facebook, and other publically available sources make it all too easy for scammers to quickly learn crucial information such as where their targets work, who their managers and coworkers are, and their job titles and duties. This information alone is sufficient enough for an attacker to craft a seemingly authentic email.

These emails use social engineering to elicit a quick response from the target. The subject lines often make the message appear to be time-sensitive, sometimes including phrases such as “ACTION REQUIRED.” The sender address is often spoofed to appear as though the email originated from an important or authoritative person, such as a company manager, a lawyer, or even a member of law enforcement. For instance, a scammer could spoof your CEO’s email address and send an email to an employee within your finance department, urgently requesting a transfer of company funds to an external account. If that employee was not properly trained on how to spot phishing and whaling emails, he or she might not think twice about honoring that request, ultimately allowing the scammer to make off with your company’s money. Your CEO could be targeted by an email crafted to look like it originated from the company’s legal team, containing a malicious attachment labeled “subpoena.” If that attachment is opened, it could compromise passwords, confidential data, or the entire company’s network.

Social engineering tactics like whaling can be very successful and cause great damage to a company or individual. Although there is no way to completely eliminate the threat of whaling, there are steps every person and organization can take to reduce the likelihood of a successful whaling attack.

Tips for individuals:

  • Use various search engines to see what information about you and your company is publicly available online. Knowing your online identity footprint can prepare you for what can be used against you. Contact the NJCCIC for a detailed guide on securing your online footprint.
  • Tighten privacy settings on social media websites, especially LinkedIn and Facebook.
  • Try to refrain from adding someone you do not personally know to social media friend lists. If you do, however, use privacy settings to limit what they can view on your profile.
  • If you receive an urgent-sounding email from what seems to be a familiar source, follow-up with a phone call to the sender before taking any action to verify the authenticity of the request.

Tips for organizations:

  • Conduct a social engineering risk assessment of your organization followed by social engineering awareness training for every employee.
  • Implement a policy that requires two or more people to approve any large financial transactions to external parties, e.g., wire transfers.
  • Implement a policy that requires any unusual urgent requests via phone call to be met with a series of follow-up security questions designed to verify the identity of the caller.
  • Be aware of typosquatting (also known as URL hijacking) and sign up for domain name registration alerts to notify you when someone registers a website that is similar in spelling to your company’s website. Use these alerts to create email filtering rules to help prevent phishing and whaling attempts from reaching end users.
  • Encourage staff to immediately report any suspicious emails or phone calls to your organization’s security team.
  • Have an incident response plan in place in the event of a whaling attack.