Whaling, commonly known as spear-phishing is now targeting many business executives such as CEO’s, CFO’s and CTO’s.
While a regular phishing attack attempts to maliciously steal a user’s sensitive information, whaling targets a specific corporate employee for a range of possible motives.
Attackers usually masquerade emails that look legitimate and urgent, these fool business executives into believing that the email has been sent from another company member or possibly a legitimate authority such as the government. Some malicious emails are typically designed to look like a critical business email and may contain a harmful URL to a website.
Web pages provided on malicious emails frequently look like regular websites and ask users for a username and password. However, when users try to submit their login details, an error message is displayed stating ‘incorrect information, try again’ despite it being correct. The attacker now has the username and password that the user had originally provided and most probably installed a keylogger which tracks everything the executive does!
Regrettably, many organisations have fallen victim to whaling attacks such as the U.S. Federal Bureau of Investigation (FBI). According to a report by one firm, whaling attacks alone were up 270 percent from January to August 2015 in which the business lost $800 million and $1.2 billion in just a short amount of time of a two-year period.
As whaling occurs over emails and websites, it can be prevented by analysing emails and not clicking on anything that looks distrustful or suspicious. Avoiding clicking on doubtful content is a good way to start as it will not execute any malicious code. In addition, if there is a new email which involves giving personal or business details, it should be confirmed with the sender first as attackers can make emails seem entirely legitimate.
Overall, users can greatly decrease their chances of being attacked by checking for illegitimate content first.
Through our new security policy, Rocketseed ensures vital email security criteria are met: Any significant money transactions requested via email should always be confirmed by phone or Skype first
