A new sport has come to our cyber shores, taking phishing to a whole new level. Whaling, as it is called, is a phishing attack where perpetrators are after bigger “fish”. This scam targets senior executives and business owners, by having them reveal information that allows the perpetrator to gain access to more than just data. They try to scam senior executives who have access to sensitive business functions like finance applications and IT infrastructure.

What are the whalers doing?

Whalers attempt to gain access in a variety of ways. Typically they will send an email that establishes a pretext, which entices or encourages the recipient into taking action. Examples include requests to pay fake invoices, requests to update passwords, or asking for an immediate transfer of funds. Their approach is to look legitimate so that the person receiving the scam doesn’t think to follow good security procedures, and perform the attacker’s desired action without thinking too much about it. Attackers usually invest time to research or learn about the company and the target to be able to represent themselves as a current customer or vendor, or even go so far as to steal credentials from a legitimate source such as a business partner. They often use prior phishing attacks to get access to some of that basic but useful information.

What do whalers want to get access to?

The objective of a whaling attack is to get access to corporate systems or resources - bank accounts, cloud services, core email IDs - so they can exploit the company and get a digital pathway to employees and customers. They seek to gain and control credentials (like an executive’s username and password), funds transfers, or the ability to take control of systems.

Why do they target small and medium enterprises?

Whalers seek out senior executives at smaller companies, who share many characteristics: 1) SME executives are often doing more than one job at a a time, so they respond to requests with less attention to small details, or 2) they have not yet developed the processes (like 2-person sign off on funds transfers) which larger companies have adopted to minimize fraud. In short, they know that SMEs are a good prospect for their scams.

How do I know I’ve been “whaled on?”

There are a few signs that should send up red flags of a whaling attack.

  • The bank statement. Banks should flag unexpectedly large payments, but a simple way to check is to make sure to review bank statements routinely. Once per month may be OK, but more reviews are better for catching fraud early.
  • Malware. Ransomware is a common target of a whaling expedition. Ransomware attacks lock you out of access to critical data or systems; since executives have access to large amounts of sensitive info, they’re quite likely to pay a ransom to regain access. Other types of malware may go undetected for a longer period of time, such as an attacker installing a keylogger which steals everything that you type. Unless security software is installed on your computer, this malware can go undetected, allowing the attacker to steal sensitive data used by execs.
  • Credentials request. Many cloud providers and financial services companies confirm password change requests. While this may seem laborious if you change passwords a lot, it can also be a red flag if you receive such a request but haven’t tried to change your password. When an attacker steals a password, they’ll often change it to lock the intended user out of their account. A simple fix for this is to use two factor authentication, which makes it harder for an attacker to change the password.

How can I protect myself from being whaled on?

We at Zeguro believe there are a number of ways to keep yourself, your employees and your company safe from the whalers. We’ve highlighted good practices in our previous post on the topic. Additionally, you can put safety nets in place with relevant cyber training, establish verification steps for vital business processes (like funds transfers), require 2-factor identification for vital systems your the company uses. Most importantly, you should implement continuous cyber risk management tools to keep an eye on your systems, freeing up your attention for all the other hats you wear as a small business executive.