You’ve probably heard about phishing before, but you might be wondering what exactly “whale phishing” is...they are much the same but have different targets.
Phishing generally targets those who play smaller roles in a company, like little fish in the sea. Whale phishing targets those in Executive positions, like the largest fish, the Whale Shark, thus the term “whale” phishing.
Scammers have been phishing for over 25 years now, and phishing emails are far easier to spot. The challenge, however, with whale phishing is that these emails target the executives in a company by incorporating their names and their titles in the message.
But Executives are intelligent people. How do they get Scammed?
Whale phishing emails are much more sophisticated, they are well written and are the result of extensive research into the target. Information such as whom that person communicates with and the kind of discussions they usually have, are added to communications. Similarly, the Phishers stalk social media accounts to figure out how to effectively trick the executive into providing data, employee information, financial transactions or potentially classified information that could be sold to competitors or used as leverage in Blackmail situations.
Such high levels of sophistication in the email, often dupe even the most security-conscious of Executives, with more than $12 Billion being scammed off Executives since 2013.
The moment the executive clicks on the link, the target will be redirected to a dummy website that imitates the official website that the target usually visits where they will then prompted to provide their credentials.
A phishing attack may also happen by opening an attached file that installs malware, enabling the attacker to track the victim’s inbox and PC.
Lastly, the attacker may successfully get the executive to respond to a request for a wire transfer. One company almost lost millions, were it not for the quick thinking of an accounts payable manager. They saw an authorization from the CFO to transfer large sums into multiple accounts. It was only the decision to call the CFO to double check, that identified no such authorization occurred, even though it appeared to come from their email account.
Whale phishing attacks are successful as they are exceptionally well planned. From knowing the targets communication patterns to having Information and Email subject headings that appear ‘normal’, thus making it extremely difficult to differentiate a whale phishing email from a real email.
Unfortunately, these well-planned attacks are not picked up by traditional anti-phishing solutions such as email-filters. Whilst in office awareness campaigns have limited success, people still fall victim, especially if the scam is impersonating someone they trust.
Given the level of elaborate planning that goes into these attacks, could it be possible for one to keep themselves from falling for such?
In Short, Yes…. it is possible. However it is crucial to find a way to confirm the identity of the person sending the email, for example using a secure messaging platform when exchanging sensitive data such as an email platform with end-to-end encryption. End-to-end encryptions could ensure the senders identity to be confirmed by a private key stored on the device, a private key that cannot be spoofed or stolen, thus ensuring that the sender is who they claim to be. Having this level of protection is important for individuals in order to protect their intellectual property.
Making sure you confirm the identity of the person you are talking to through email to is also critical. If something seems strange, like a site you used to visit suddenly asks for your credentials when it usually doesn’t, it is better to confirm with someone you know from their end if such a step is necessary.
Making sure that your inbox is protected is the next step.
At All Managed IT we deploy a range of Counter Phishing Strategies to protect our clients, Contact us if you’d like to get protected too.