TechLand Blog

Whaling: Higher the position, the stronger the threat

The human resource of an organization is its most valuable asset. But what happens when this asset fails to recognize and defend itself against the alarming threat of being phished? 

This is where we introduce a term known as whaling. The term stems from the fact that whales are the largest mammals in the water bodies and dream-come-true targets for fishers in the sea. Similarly, fraudsters may jump a bar extra to successfully phish the lucrative executives in the company without wasting much time on middle and low-level employees.

Complimenting the phishing family, whaling is a sophisticated attack that targets individuals/executives in the top management of an organization with the malicious intent of leaking confidential information, damaging corporate reputation etc. Attackers usually employ complex social engineering processes to reach out to the high-value executives in a company; forcing the targets to execute decisions that can cause major losses to other stakeholders. 

Before getting into details of how the attack takes place, let’s understand what may force an attacker to whale a company official.

What purpose does a whaling attack serve?

1. Money heist: The primary motive of a whaling attack is to trick top-level executives, like the CEO, to undertake wire transfers of large sums of money to unauthorized accounts through Business Email Compromises (BEC). 

2. Corporate damage: Attackers may also steal confidential information like intellectual property and other details through a whaling attack to sell the same to the company’s competitors at a higher value. This, in turn, may damage the company’s reputation in the global markets.

3. Supply chain disruptions: By targeting the vulnerable elements in the supply chain, whalers may cause disruptions in the vendor-management relationship. In product-based organizations, for example, a phishing message directed to the supply chain head regarding faulty vendor payment clearance can create chaos and cause mistrust. 

How does a whaling attack work?

No alt text provided for this image

How to protect against whaling attacks?

While the ultimate targets are top-level executives, defending against a whaling attack requires joint efforts of each employee in the organization. Some of these solutions are as follows:

1. Awareness programs

Cybersecurity training and awareness programs must be a priority for tech as well as non-tech businesses to combat whaling. The lower-level employees must be trained in differentiating between genuine and fake communication like email addresses. In the case of line managers, where the authority is evenly distributed, such awareness is of prime importance so that the middle and low-level employees do not end up exposing the top executives to any kind of phishing message. 

2. Social media boundaries

The top managers of organizations must learn about the wise usage of social media in terms of the amount of information shared and the quality of people allowed in their network. This is necessary to ensure that there is limited information available about any executive to the fraudsters while carrying out social engineering attacks which involve in-depth research.

3. Multi Step verification

Executives who have access to sensitive information and the authority to initiate wire transfers must be protected by a multistep verification before any transaction is completed or information is unlocked. Regular audits of all files and documents must be done by scanning them for malware, viruses and other malicious issues. 

4. Anti-phishing tools 

Several organizations provide anti-phishing software to detect and block any scrupulous sources from sending fraudulent business emails. Employing such tools can reduce the susceptibility of top executives to a potential whaling attack. These organizations also provide multiple resources to educate the company’s employees on trending forms of phishing attacks and the latest threats.

Leave a Reply

Your email address will not be published. Required fields are marked *