The art of whaling is like that of phishing. Where phishing is looking for anything and everything, whaling targets the “big fish” such as C-level executives, leadership, and other people with higher-than-normal permissions. While a huge whale at a large company would be a great prize, hackers have their work cut out for them as larger companies have dedicated security teams. A profitable whale can be found at almost any sized company, making smaller, undefended companies, a juicier and easier target.Attackers will first use social media to track down and build a network map of who’s who at a company. They’ll do their best to work out who the movers and shakers are and if they have the clout or access to move financial resources. With this information, they’ll start building a plan.
Common whaling targets are people who handle or have access to:
- Sensitive data
- Financial resources
- IT credentials
Attackers send these 'whales' an email pretending to be someone of importance within the organization. It can also go the other way, with the whalers pretending to be IT and targeting the people of importance directly.
Either way, the goal is to target specific individuals from within the company. This isn’t like phishing, where a large “net” is thrown out and they’ll take whatever they can catch. This is direct assaults against targeted individuals chosen for their position and probable level of access to resources of interest to the whaler.
Defending Against Whaling
Defending against whaling is a more difficult process because the attackers are going to spend more time tailoring the attack and making sure it looks good as they are already investing time into more refined attacks.
Check that Correct Names (Or Even Nick Names) Are Used
Things to look out for are fake emails using boss’s full names such as Robert instead of Bob when Bob’s always been called Bob and hates being called Robert.
Scrutinize Email Senders
Another thing to look out for is if the email is from a company email and if the request is normal. For example, if email@example.com sent you an email requesting a wire transfer to a previously unknown account, you should probably call Bob and confirm. Even if it comes from firstname.lastname@example.org email, take a few seconds to confirm tons of money isn’t sent to a malicious individual.
Hover Over Links to See Where They Actually Lead
In email, you can simply hover over a link to see where it goes. Though linked text may say one thing, be sure to see where you will truly land if you click the link by inspecting the URL.
At the end of the day, our intuition and reasoning skills are the best defenses against attackers. They will, without fail, make unusual requests such as sending money to random accounts, through 3rd party services, and the like. Don’t be afraid to verify access requests, money transfers, or anything granting more power to anyone. Remember, it’s better to be safe than sorry.