Whaling is an attack that targets credentials and/or personal identifying information. It is similar to spear phishing except it targets high value individuals (c-level managers and executives, high net worth clients). It’s a social attack that can come from many sources, not all of which are electronic in nature.
Goals of Whaling
Typical goals of whaling attacks include: stealing information about a person as to impersonate them, installing malware for continued attacks against an individual or company, surveillance, theft of trade secrets or even data destruction and denial of service.
It’s important to know that whaling is a method of attacking that tries to fool individuals into divulging information that is not otherwise publicly known. This can come from email claiming to be from a trusted person in authority, to phone calls, to letter mail.
Ultimately the strongest protection against whaling attacks is to always be skeptical of the source of information. We’re taught in school to always use two or (preferably) more sources to validate information as fact, the same is true to protect yourself from whaling attacks.
- Confirm requests before acting on them. An example: If an employee asks you using electronic means to reset a password. Give that employee a phone call to confirm the request.
- Do not send sensitive information unencrypted and unsolicited electronically. Sensitive information is any information that is not publicly known and that could cause damage to a company or individual if it were to be disclosed. Your credit card number, a company employee directory, a contract document, executive reports.
- Never open unexpected email attachments, and never click on links sent via email.
- Be suspicious of senders addresses/names. In some cases emails can look to come from someone within the company, where in fact the domain (last part of the email address) has a slightly different spelling than the legitimate address.
- Infected computers can spread spam that contains whaling emails by exploiting contact lists. Blocking direct email sending to the internet can help. A good way to do this is to configure outgoing email filtering and firewall rules.
- Use mail filtering and blocking technology on your mail system:
- This can help block commonly used spelling differences in email domains
- Use SPF/DKIM/DMARC to greatly increase the chances that emails coming to you are legitimate. This also increases the chances your emails will not be blocked by your customers or vendors.
- Use geoblocking if your firewall supports it when hosting your own email server to quickly prevent most unsolicited connections from overseas.
- Occasionally test high net worth managers by using a third party to craft a whaling campaign against your company. Before you do this, be sure to get approval from your executive team. Employee education is important and awareness and training are some of the best techniques to protect your company from whaling. When you test, the results will give you a great sense as to the effectiveness of the educational campaign and it will give greater awareness to those employees as to the seriousness of the challenge.
Check out more of our How-To’s for additional great tips like this one.