Whaling isn’t a practice you’d normally expect CEOs to be worrying about from the comfort of their desks. But the phenomenon is starting to create ripples in the business community and, worryingly, we’re seeing more of it.
No, we’re not talking about spearing orcas but instead, a worrying new trend in cyber-attacks.
What is whaling?
Whaling is a unique type of phishing where CEOs, MDs and other C-level executives are specifically targeted. Cyber criminals often mine for information on these high-level employees, hack into their systems and impersonate them to steal money or data.
The practice gets its name from the idea that hackers are targeting the ‘big fish’.
As an organisation on the front-line of cyber security, whaling is something we’ve seen a real rise in over recent years. Luckily the system we’ve developed is keeping our clients safe but, for others who aren’t protected, the risk is very real.
Why are CEOs and MDs a prime target?
First of all there’s the obvious – value. Inevitably C level executives are a mine of high value information and data.
Just as a burglar would more likely target a swanky mansion than a rickety old house, cyber criminals expect to get more out of their efforts when they target a CEO.
They are likely to have information that most others wouldn’t have access to, like details of contract values and secret deals that are in the pipeline. In fact, the lead up to a merger or acquisition is a prime danger zone.
Secondly, people do what CEOs say. If the boss emails asking you to pay a bill, you do it and that’s often how whalers make their ‘kill’.
It’s also easy for hackers to gather personal information about their victim to make the attack more plausible. CEOs are the ‘public face’ of the business so there’s inevitably be a wealth of information about them in online news articles and on LinkedIn.
Add to this the fact that hackers can easily intercept emails if they’re un-encrypted (which most aren’t) and you can see how they can get their hands on pretty much anything.
How do cyber criminals do it?
Whalers build up a picture of the CEO and the organisation. They’ll often rake a company’s website to see who’s who and therefore decide who they could trick into doing something on behalf of the ‘CEO’.
They can also intercept emails sent by CEOs and use the contents to plan their attack. For example, they may see the CEO’s had an invoice from their lawyer for work on a corporate deal. The whaler could recreate that invoice, replacing the bank details with their own, and send it to the finance director (pretending to be the CEO) asking them to pay it.
Unwittingly, the finance director has just transferred £10,000 to a criminal. And he’s still got the real bill to pay.
How can you stop it happening?
The first line of defence is always to ensure staff are clued up on these type of scams and the warning signs.
Hold regular training and teach them to look out for tell-tale signs of a scam, like poor grammar or hovering over the email address to check it’s the right one.
Secondly, protect the contents of your emails.
Sending an email without encryption is like walking out of your house without closing the door – a burglar can walk straight in. Sending an email with encryption is better, it’s like closing the door, but sending with our Mailock service is like closing the door and locking it behind you.
The system not only encrypts emails so hackers can’t penetrate them, but it also allows users to verify they’re opened by the right user. It does this by allowing users to set a challenge question that only the real intended recipient knows the answer to.
Ultimately, by coupling technology with training you are in the best position to protect yourself from being a whaling victim.
Have you thwarted a cyber attacker trying to whale you? Let us know, we’d love to hear your story. You can email us on firstname.lastname@example.org
Find out more about our Mailock system, which costs less than a cup of takeaway coffee a week for business users.