It’s Monday morning. You arrive at work bright and early, ready to tackle the day. When you log in to your email, you see a message from your boss marked urgent, and asking you to initiate a wire transfer of $100,000 to cover some consulting fees. Wanting to impress your boss, you do as you’re asked — only to find out a few hours later that your boss never sent the email, and your company is now out $100,000.
Congratulations. You’re now the victim of a whaling scam.
Going After the Big Catch
By now, most of us know what phishing is and are learning the telltale signs and how to avoid falling prey to scammers. Still, it’s still a major concern, with the majority of large data breaches caused by individuals who fall for phishing messages. While fraudulent emails are the most common type of scam, hackers have taken their skills to text messages (smishing) and telephone calls (vishing), effectively stealing millions of dollars and other sensitive information.
However, while most phishing attacks are random, and designed to capture as much information from as many people as possible (which may or may not be worth anything), hackers have learned that they generally have better results when they launch more targeted attacks. This has led to the development of spearphishing, in which specific individuals were targeted for attack.
For example, hackers might view LinkedIn profiles to find administrative staff at a particular company, and then send malware through an email in an attempt to gain access to a company network. Spearfishing is always done with a particular target in mind, and may be motivated by the promise of financial gain, or just a desire to harm the operations of a company or a particular individual.
Whaling attacks take spearphishing to the next level, and are almost always financially motivated. While spearphishing might go after anyone who could give the hackers what they want, whaling attacks are usually aimed at a big target, such as the CEO or other top executives of a company. Hackers begin by thoroughly researching the target and capturing as much information as possible, including direct phone numbers, email addresses, and contact lists.
Once they have enough information, the hackers then send emails that appear to be authentic; unlike typical phishing messages that are sent out to thousands of individuals and contain generic, often seemingly-random messages, these messages are highly personalized and relevant to the target.
Usually, whaling messages require the recipient to do something, such as download an attachment or send money or information. For example, Snapchat recently fell victim to a whaling scheme when someone impersonating the company CEO sent an email to the payroll department requesting employee details. In another notable case, several major corporations were tricked into downloading malware that gave hackers access to their networks when company executives were sent emails purporting to contain federal subpoenas; when the recipients opened the attachments, the malware was launched.
Avoiding Whaling Scams
Because of the highly personalized nature of whaling emails, they can be more difficult to spot. However, there are some ways you can avoid a potentially disastrous outcome from one of these attacks:
- Install and maintain advanced Internet security software. This includes antivirus, anti-malware, firewalls, phishing detection, and intrusion detection and prevention.
- Learn the signs of fraudulent emails. Despite generally looking more authentic than the typical spam message, whaling messages do often have some telltale clues, including non-standard English, misspellings, and odd email addresses.
- Never click on links. Unless you are specifically expecting an email from someone with a link or an attachment, never click on a link contained in an email. If in doubt, contact the sender directly to confirm that they sent the message.
- Ask questions. If you receive an email requesting sensitive information, large sums of money, or other out of the ordinary requests, ask questions before acting. Even if the message appears to come from another executive, or your boss, it’s better to confirm than be responsible for the loss of huge sums of money — or a major data breach.
As we become more savvy to hackers’ tricks, the hackers are always looking for new ways to trick us and steal our money and information. By staying vigilant and using the tools at our disposal, we can avoid the serious and costly consequences of falling for a scam.