Whaling – don't fall into cyber criminals clutches

You're wondering what whales have to do with cyber security? Phishing attacks are probably known to most (if not, we'd recommend one of our previous articles). While cyber criminals go "phishing" relatively blindly, when it comes to whaling they are targeting the very big fish - that's right, whales; or to get back to the business world, to senior management, CEOs, directors and more generally, important decision makers. Around 9 out of 10 whaling attacks are successful, so it is high time that you were made aware of them. In this article, you will learn what alarm signals you should watch out for as a potential target and why your staff also plays an important role in these digital confidence tricks!

Classical phishing attacks do not set out to target a specific person, whereas "spear phishing" is aimed at a single person. When these people are directors, senior management or have a great deal of decision-making power, we call it whaling.

The alleged sender usually also masquerades as an important person in a management role. It is obvious why - orders or requests like these carry more weight, are dealt with more swiftly and put more pressure on the person receiving the e-mail. In whaling, for example, the CEO can instruct the Finance Department to transfer a large amount of money to an (often foreign) account as quickly as possible. In many cases, the sender - here the CEO - is also effectively abroad.

Do you think whaling has nothing to do with you? That’s what other people thought…

We are happy to accept that neither you nor your employees will fall for the clumsy 0815 spam e-mails (they were probably intercepted by your spam filter anyway). But the really nasty cyber criminals aren't stupid. That is why they meticulously prepare themselves for such attacks - often successfully, as these examples show:

• You are bound to have heard of the Dutch film company Pathé. In early 2018, the Managing Director and CFO fell for fraudsters who stole a total of 21 million US dollars.
• In 2017, the CEO of Goldman, an American financial services firm, was duped by identity theft.
• At the Romanian automotive suppliers Leoni, attackers captured a total of 40 million euros with a whaling attack on the CFO.

Unfortunately, these are not isolated cases: According to InfoSecurity Magazine, the success rate of Whaling is around 90%.

Why YOU are the perfect target for a whaling attack

In whaling, the attacker specifically selects who is the sender and who is the recipient. How could he know that? With digital trace search! Whether it’s intentional or not, we all have a vast amount of information on the Internet. Cyber criminals take advantage of this and spy on the target persons, for example via telephone calls. By masquerading as a familiar long-standing customer or employee, personal information is easily accessible. This information can be inserted into phishing e-mails, for example, thus making them more credible.

Attackers are particularly fond of browsing on social networks. On LinkedIn, for example, you can easily find out who has what position. Does your company use social media? Certainly, there is bound to be some kind of bait that can be used for an attack, so you need to be on your guard here too!

If you want to know what a typical phishing e-mail used for 
whaling attacks looks like, download our info graphic! Our pentesters have created an example of a successful phishing
e-mail especially for you. You can also find helpful tips & hints of what to look out for. It is also perfect for heightening staff awareness - download it now for free!

Rumbling cyber criminals’ success stories

Other sources of danger are lurking, apart from demands for payment. Often the senders (under time pressure) demand sensitive information such as credit card numbers, passwords or threaten to publish such information. Or they may ask you to click an attached file or a link in the mail. Thus encryption or blackmail trojans are able to infect the computer or entire networks.

So you won’t be a victim of whaling

You have already taken the first step in the right direction by reading this far. Now it is important to recognise the features of attacks of this kind and to get your employees on board. Whether it's whaling or random phishing, all those persons who are potentially at risk or involved in any way must be trained in how to handle sensitive information. We have summarised the most important short to long-term measures for you:

Measures to take to protect against whaling:

• Potential targets: Directors, CEOs and influential decision-makers must be identified and individually trained. Awareness by management is one of the most important elements in the fight against whaling!
• Create broad internal awareness. A first step is an internal communication. As a second step - above all to create sustainable awareness - we recommend targeted training or tutoring by specialists. You will find more information below.
• For larger money transfers, an internal control mechanism such as the principle of dual control or special release procedures is recommended.
• If you're unsure, the best thing to do is pick up the phone and call the person who sent the e-mail. Also, it should be clearly communicated to others that when in doubt, this is acceptable and desirable. Communication is the be-all and end-all in cyber security too!
• Social media are important sources for obtaining information about the targeted person. Accounts are usually privately held, so you cannot control them, or only to a limited extent. Create a social media policy that enshrines the most important do's & don'ts. You can indicate if information about the company can be shared, and if so, what information. In the case of senior management, it may even be advisable to have the profiles on LinkedIn & Co. checked internally.
• Rely on strong email authentication that automatically protects your networks from spam as far as possible.
• Pay meticulous attention to the content and formal look of a phishing e-mail such as the sender or spelling mistakes. Here, again, it is not just the employees who have to take these precautions, but also, and above all, in fact, the management. In our free infographics, we have compiled for you the most dangerous traps. More information on how to protect yourself can be found in our previous blog posts (Phishing & Spear Phishing).
• In whaling attacks, the alleged sender and the recipient are often working in the same company. An effective, multi-layered e-mail defence includes the identification of external e-mails. This allows you to quickly detect whether the e-mail is actually internal or not. Options for secure e-mail defence include (spam) filters, gateway encryptions, sandboxing, SPF, etc.
• Perform a risk assessment of e-mail and web domains (Business Domain Impersonation). A cloud access security broker or an external security rating such as SecurityScorecard, for example, can be helpful.
• Neither should you as a manager nor your employees ever send unencrypted any confidential, personal or proprietary information!

Security Awareness works at every level

Regardless of whether you are an assistant, a head of the department or Chief Executive Officer - when it comes to security, everyone is equally challenged. Humans are and continue to be the weakest link in the security chain, so it is, therefore, important to sensitise the entire company and heighten security awareness at all levels.

As has already been mentioned above, communication is the first step in the right direction, preferably using easy-to-remember examples such as our infographics. After that, it is important to achieve sustainable security awareness. There are several ways to do this.

Rely on an experienced partner like InfoGuard. In innumerable successfully implemented customer projects, we were able to raise employee awareness and thereby demonstrably improve cyber security.