What are Phishing and Whaling?
The first thing to understand is the basics of phishing and whaling. If you’ve heard these terms but are not 100% sure about how it works, then you’re lucky enough to have never been a target.
Phishing is the original practice. It involves sending a fake email address to a targeted employee. The email pretends to be from someone that the employee knows and would trust. A coworker, their boss, or a friend whom they have emailed with at work before. Or it might be a generic message pretending to be from the person’s bank or a social media platform. The email is usually simple and usually involves a request to open an attached file. In the file, of course, is malware that will sneakily download and install itself on the computer the moment the employee clicks the link.
Spear-phishing, which you also may have heard of, is simply more targeted. It involves the hacker doing more research on the person they’re targeting and the person they’re impersonating. The hacker may research social media to try and type with the same phases and cadence as the person they’re impersonating. They may try to use gleaned personal information to add authenticity. And they are trying to pull on the relationship between the target and whoever they are impersonating.
Whaling is an evolution of spear-phishing in which the targets involved are higher in the authority chain and, therefore, have more power to give the hacker something beyond a malware-infested click. In other words, spearing “bigger fish,” hence whaling.
In a whaling scenario, the hacker usually tries to impersonate someone very high up in the business, like the CEO, a VP, or a department head. They study the exec’s social media to learn how they talk, and who they most often talk with. Then the hacker sends an email impersonating this exec to either an employee or another higher-up in the company in order to get something. That ‘something’ is usually either money (as a wire transfer or other online means) or insider information about the company.
Phishing is a Threat to Every Business
The problem is that most companies underestimate the damage that phishing can do. If you’ve been aware of cybersecurity for some time, you know that phishing is ‘old news.’ It’s also not a very complicated kind of hack, because it relies on human error rather than infiltrating your defenses. But the reason hackers still use it and use it so abundantly, is because it works.
No matter how secure your data security infrastructure is, one misguided click from an employee checking their media can get your business network infected and breached. And the worst part of malware-phishing is that usually, the employee has no idea what they’ve done. Whatever they clicked will appear to open a legitimate file. Whatever little question was used to lure them will be answered. But somewhere on your network is ransomware, spyware, or a rootkit waiting to strike.
How Whaling Works
Now let’s talk about whaling, which is a whole other kettle of fish — so to speak. Unlike phishing, the primary goal of whaling is almost never to spread malware. Instead, the hacker works hard to impersonate someone important and then use the power of that authority to get what they really want: money or information.
Sometimes, they use their spoofed exec email address to frighten or coerce underlings into doing their bidding. Using the subtle suggestion that not complying with their (probably fishy) request might be a firing offense. Their goal is to get someone to comply right away without asking any questions that might raise alarms. Which is why it works on unprepared employees.
Other times, they use the exec identity to get something from another organization higher-up. Someone who might be the only one with the authority to fulfill their desire. Like a direct wire transfer to a previously unknown bank account. Or the release of sensitive company or employee files. In this case, they hope to use the camaraderie and respect for the mutual position that usually exists between a company’s C-level leadership.
We don’t have to tell you the kind of damage a hacker can do with the ability to transfer money or steal documents directly from ‘willing’ employees. If whaling goes uncaught long enough, it can completely ruin a business. And the underhanded tactics hackers will try appear to be endless.
We’ve heard of whaling attacks that claimed that the company had been subpoenaed so the target had better share some important files quickly. Using the subtle threat of legal repercussions. We’ve heard of hackers demanding a convoluted scheme involving gift card codes. But what astounds us most is how stupid hackers can be after putting in all that effort to impersonate a company executive.
Keeping Your Company Safe from Whaling and Phishing
You can make sure that every single member of your staff knows what a phishing email looks like and how to spot a whaling attempt. The best way to learn social engineering defenses by heart is with thorough training and regular spontaneous cybersecurity drills. But here are a few pointers just to get you started while you work out the details:
- Use a cloud-based document manager instead of ever opening or downloading an external file
- Watch out for any unusual or unexpected messages
- Always double-confirm requests involving sensitive information or money. Use a second communication channel, like a phone call or inter-office chat.
- If the email is from someone you know, but for some reason, the message is not connected to your contacts list, beware!
- Don’t Trust Metadata: Just because it says “From VP Gina Marblott” doesn’t mean it’s actually from your boss Gina.
The best way to protect your website data and the team from both Phishing and Whaling is to combine staff training with a comprehensive data security approach. Our website security team can help you lock down your website and offer a few pointers on how to prepare your team to avoid being phished and whaled by working together with the tools at hand. Contact us today to find out more about keeping your website and business safe.