APRIL 2019 INFORMATION & NETWORK SECURITY SECURITY
WHALING WHY ARE WHALING
ATTACK 4 ATTACKS SUCCESSFUL? Whaling attacks use fraudulent emails A whaling attack is a kind of phishing scam and CEO fraud that appear to be from trusted sources to that targets high profile executives with access to highly try to trick victims into divulging valuable information. In a whaling attack, hackers use sensitive data over email or visiting a social-engineering to trick users into divulging bank spoofed website that mimics that of a account data, employee personnel details, customer legitimate business and asks for sensitive information such as payment or account information or credit card numbers, or even to make wire details. transfers to someone they believe is the CEO or CFO of Whaling emails and websites are highly the company. personalized towards their targets and often include targets’ names, job titles, DEFINITION and basic details to make the communications look as legitimate as 1 possible. A whaling attack is a targeted attempt to Whaling attacks are more difficult to steal sensitive information from a company detect than typical phishing attacks such as financial information or personal because they are so highly personalized details about employees through CEO, CFO, and are sent only to select targets within or other executives who have complete a company. access to sensitive data. Whaling attacks can rely solely on social engineering to fool their targets, though some cases will use hyperlinks or THE TERM 'WHALING' attachments to infect victims with malware or solicit sensitive information. 2
The term “whaling” is used because of the
size of the targets relative to those of typical phishing attacks, “Whales” are carefully chosen because of their authority and access within the company.
DEFENCE AGAINST THE
5 WHALE ATTACKS Educate employees about whaling attacks and how to identify phishing emails. EXAMPLES Flag all emails that come from outside 3 the organization. In early 2016, the social media app Discuss the use of social media with the Snapchat fell victim to a whaling attack executive team as it relates to phishing. when a high-ranking employee was Establish a multi-step verification emailed by a cybercriminal impersonating process for all requests for sensitive data the CEO and was fooled into revealing or wire transfers. employee payroll information. Exercise data protection and data In March 2016, when an executive at security policies. Seagate unknowingly answered a whaling email that requested the W-2 forms for all current and former employees. The incident resulted in a breach of income tax data for nearly 10,000 current and former Seagate employees, leaving those employees susceptible to income tax refund fraud and other identity theft schemes. Seagate notified the IRS of the data breach.