<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=18068&amp;fmt=gif">

Hacking: Making Bigger Targets Smaller 

February 08, 2018 in Small Business Security

The art of whaling is like that of phishing. Where phishing is looking for anything and everything, whaling targets the “big fish” such as C-level executives, leadership, and other people with higher-than-normal permissions. While a huge whale at a large company would be a great prize, hackers have their work cut out for them as larger companies have dedicated security teams. A profitable whale can be found at almost any sized company, making smaller, undefended companies, a juicier and easier target.

Attackers will first use social media to track down and build a network map of who’s who at a company. They’ll do their best to work out who the movers and shakers are and if they have the clout or access to move financial resources. With this information, they’ll start building a plan.

Common whaling targets are people who handle or have access to:

  • Sensitive data
  • Financial resources
  • IT credentials 

Attackers send these 'whales' an email pretending to be someone of importance within the organization. It can also go the other way, with the whalers pretending to be IT and targeting the people of importance directly.

CEO Scam.png

Either way, the goal is to target specific individuals from within the company. This isn’t like phishing, where a large “net” is thrown out and they’ll take whatever they can catch. This is direct assaults against targeted individuals chosen for their position and probable level of access to resources of interest to the whaler.

Defending Against Whaling

Defending against whaling is a more difficult process because the attackers are going to spend more time tailoring the attack and making sure it looks good as they are already investing time into more refined attacks.

Check that Correct Names (Or Even Nick Names) Are Used

Things to look out for are fake emails using boss’s full names such as Robert instead of Bob when Bob’s always been called Bob and hates being called Robert.

Scrutinize Email Senders

Another thing to look out for is if the email is from a company email and if the request is normal. For example, if roberttheboss@hotmail.com sent you an email requesting a wire transfer to a previously unknown account, you should probably call Bob and confirm. Even if it comes from bobtheboss@company.com email, take a few seconds to confirm tons of money isn’t sent to a malicious individual.

Hover Over Links to See Where They Actually Lead 

In email, you can simply hover over a link to see where it goes. Though linked text may say one thing, be sure to see where you will truly land if you click the link by inspecting the URL. 

Hover over email links.gif


At the end of the day, our intuition and reasoning skills are the best defenses against attackers. They will, without fail, make unusual requests such as sending money to random accounts, through 3rd party services, and the like. Don’t be afraid to verify access requests, money transfers, or anything granting more power to anyone. Remember, it’s better to be safe than sorry.


New Call-to-action


Andrew Brown

Andrew Brown

A native of the industrious Los Angeles area, Andrew ended up in Colorado while serving in the Armed Forces as a Healthcare Specialist. Falling in love with the Rocky Mountains, he returned after his service with an Associates in Network Systems Administration and a Bachelors in Information Technology - Security. A logical step in his life as he was never fond of sand and was often found doing something with a computer no one else understood. You can find Andrew outside of work rolling dice with his gaming buddies or tinkering with his Linux virtual machines when he's not studying.

Connect with Us

Subscribe to our blog!


New Call-to-action





New call-to-action





 New Call-to-action