A whale phishing attack is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company. Common whaling targets, like media spokespersons or C-level executives, by nature have more information about them publicly available for attackers to gather and exploit. Due to their seniority, they may also have greater internal data access than the average employee: More confidential information is available to them via their internal credentials, and in some cases, they might even have some level of administrative privilege. While the pool of potential targets for whaling at one organization might be quite small compared to the overall employee roster, the stakes are much higher.
How does it work ?
Whale phishing requires extensive research on the victim because the attacker needs to know who the intended victim communicates with and the kind of discussions they have. For example, the attacker might look into public records for references to customer complaints, legal subpoenas, or even a problem in the executive suite. The attacker might also gather details on the target by reviewing the victim’s social media accounts.
Whaling attack emails and websites are highly customized and personalized, and they often incorporate the target’s name, job title or other relevant information gleaned from a variety of sources. This level of personalization makes it difficult to detect a whaling attack.
Defending against Whale phishing
- Implement multi-layer security systems
- Make email security training mandatory
- Implement secure financial transfer rules
- Update cybersecurity trainings and policies
- Use mock-whaling attacks
Whaling attacks are only effective because of human error. Educating yourself as well as other employees, and implementing the right security measures will greatly decrease the chances of an enterprise falling victim to a whaling attack.
Logix Infosecurity with its team of experts help organizations and CISOs better manage their security. We understand the industry, organization and deploy the best tools to keep the organization safe from cyber threats. Our email security solutions are also in line with preventive measure and helps CISOs take better decision while evaluating security.