7 things to know about whaling, the emerging cybersecurity threat

In addition to phishing schemes, ransomware and other cybersecurity scams, whaling is emerging as a growing cybersecurity threat.

Here are seven things to know about whaling.

1. Whaling, also known as CEO fraud, is when a hacker pretends to be an executive or senior leader of a company and sends an email to a specific individual to wire or transfer money, according to CIO.

2. Whaling has become a significant enough of a concern that the FBI issued an alert for businesses to be aware and on the look out for such email scams. The FBI has received complaints of such scams from all 50 states and in at least 79 countries in nearly two and a half years. Since January 2015, the FBI reported a 270 percent increase in identified victims of whaling attacks, according to the agency's alert.

3. While other cyber attack tactics generally involve sending spam emails with malicious links — often sent in mass batches — whaling is a targeted attack. Hackers create email addresses that closely mimic those of company executives, and they research companies to mirror the language used to sound like the leader they are impersonating.

"On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software," according to a Krebs on Security report. "But in many ways, CEO fraud is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers."

4. Jay Wessland, vice president and CTO of the NBA team the Boston Celtics, told CIO basic spam filters typically don't identify whaling emails as spam. And, hackers engaging in whaling attacks can easily create new domains to keep sending their messages to employees. "You have to inspect the header of mail more intimately," he said in the report.

5. If an employee sees the email and sends the money, those in the IT sector call it being "harpooned," according to Info World, a somewhat laughable metaphor for a rather serious matter. According to the FBI's alert, businesses have paid more than $2.3 billion to scammers who engage them in whaling attacks from October 2013 through February 2016.

6. The digitization of information and access to personal information via social media is likely to lend hand to a rise in whaling attacks, Kim Peretti, director in the forensic services practice at PricewaterhouseCoopers, told Info World.

"As more private information becomes public, through social media sites and otherwise, targeting specific individuals within companies has become easier for hackers and thus a preferred method of attack," Ms. Peretti said in the report. "This proliferation of information on individuals — where they work, with whom they interact socially and professionally, what conferences they attend, when and where they vacation — has enabled hackers to determine not only which individuals at companies may hold the keys to the kingdom, but also to which messages these [people] are most likely be duped into responding."

7. As with other cyberattack defenses, providing training to employees at all levels is essential to detecting and avoiding a whaling attack. Employees can take basic steps like verifying the sender of a suspicious email, even if it appears a colleague sent it, and not clicking links in emails from unknown senders, experts told Info World.

More articles on cybersecurity:

Malicious insiders orchestrating more data breaches than before: 3 findings on cybersecurity
US government at the bottom of the barrel when it comes to cybersecurity: 7 insights
Digital extortion: 26 things to know about ransomware

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months