InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
You're wondering what whales have to do with cyber security? Phishing attacks are probably known to most (if not, we'd recommend one of our previous articles). While cyber criminals go "phishing" relatively blindly, when it comes to whaling they are targeting the very big fish - that's right, whales; or to get back to the business world, to senior management, CEOs, directors and more generally, important decision makers. Around 9 out of 10 whaling attacks are successful, so it is high time that you were made aware of them. In this article, you will learn what alarm signals you should watch out for as a potential target and why your staff also plays an important role in these digital confidence tricks!
Classical phishing attacks do not set out to target a specific person, whereas "spear phishing" is aimed at a single person. When these people are directors, senior management or have a great deal of decision-making power, we call it whaling.
The alleged sender usually also masquerades as an important person in a management role. It is obvious why - orders or requests like these carry more weight, are dealt with more swiftly and put more pressure on the person receiving the e-mail. In whaling, for example, the CEO can instruct the Finance Department to transfer a large amount of money to an (often foreign) account as quickly as possible. In many cases, the sender - here the CEO - is also effectively abroad.
We are happy to accept that neither you nor your employees will fall for the clumsy 0815 spam e-mails (they were probably intercepted by your spam filter anyway). But the really nasty cyber criminals aren't stupid. That is why they meticulously prepare themselves for such attacks - often successfully, as these examples show:
Unfortunately, these are not isolated cases: According to InfoSecurity Magazine, the success rate of Whaling is around 90%.
In whaling, the attacker specifically selects who is the sender and who is the recipient. How could he know that? With digital trace search! Whether it’s intentional or not, we all have a vast amount of information on the Internet. Cyber criminals take advantage of this and spy on the target persons, for example via telephone calls. By masquerading as a familiar long-standing customer or employee, personal information is easily accessible. This information can be inserted into phishing e-mails, for example, thus making them more credible.
Attackers are particularly fond of browsing on social networks. On LinkedIn, for example, you can easily find out who has what position. Does your company use social media? Certainly, there is bound to be some kind of bait that can be used for an attack, so you need to be on your guard here too!
If you want to know what a typical phishing e-mail used for
whaling attacks looks like, download our info graphic! Our pentesters have created an example of a successful phishing
e-mail especially for you. You can also find helpful tips & hints of what to look out for. It is also perfect for heightening staff awareness - download it now for free!
Other sources of danger are lurking, apart from demands for payment. Often the senders (under time pressure) demand sensitive information such as credit card numbers, passwords or threaten to publish such information. Or they may ask you to click an attached file or a link in the mail. Thus encryption or blackmail trojans are able to infect the computer or entire networks.
You have already taken the first step in the right direction by reading this far. Now it is important to recognise the features of attacks of this kind and to get your employees on board. Whether it's whaling or random phishing, all those persons who are potentially at risk or involved in any way must be trained in how to handle sensitive information. We have summarised the most important short to long-term measures for you:
Measures to take to protect against whaling:
Regardless of whether you are an assistant, a head of the department or Chief Executive Officer - when it comes to security, everyone is equally challenged. Humans are and continue to be the weakest link in the security chain, so it is, therefore, important to sensitise the entire company and heighten security awareness at all levels.
As has already been mentioned above, communication is the first step in the right direction, preferably using easy-to-remember examples such as our infographics. After that, it is important to achieve sustainable security awareness. There are several ways to do this.
Rely on an experienced partner like InfoGuard. In innumerable successfully implemented customer projects, we were able to raise employee awareness and thereby demonstrably improve cyber security.