Most everyone understands what phishing is: Hackers send an email that disguises their identity. They pretend to be a trusted individual – or a representative from a trustworthy organization – and ask for recipients to click a link or provide sensitive information, such as passwords.
When that happens, the hackers can gain access to the company network and do their damage. Phishing takes a broad approach. Hackers send their emails to an entire company, hoping to get a nibble and reel in any size of “ph/fish.”
Whaling is a little bit different – and can cause even more catastrophic losses. Whereas phishing could include such nefarious practices as sending ransomware, whaling is more targeted and more complex.
Harpooning the C-suite
When hackers engage in whaling, they go after the big fish, the C-level people who have more power and access to more important information. One popular time-intensive whaling technique is on the rise.
They hack into a company’s system using users’ weak passwords to watch how a company functions. After they’ve gathered enough information, they can hone in on their targets, doing more damage and getting more of what they want. It’s a much less random process than phishing and can result in devastating consequences. By watching and waiting, hackers essentially know how an organization functions, how payments are released, who approves what, and so on.
Which users’ weak passwords do those hackers use? The big fish. You know who you are! If you’re using your kids’ names, your birthday, your name, a sequence of repeated characters, or even the dreaded “password” as a password, you are putting the whole of your organization at risk.
Wire transfer requests are one way in which C-suite executives fall prey to hackers’ methods. Whalers take aim at an executive who has the authority to initiate a wire transfer by setting up a fake website to pose as a vendor, sending an invoice to a specific, targeted individual (such as the CEO), and sitting back to watch the money roll in.
A huge amount of money can be lost to this deception. BNC Systems has encountered companies that want to tighten their security after losing millions of dollars to fraudsters in exactly this way.
Protect Your Business
You don’t have to overhaul your entire IT security system in order to deflect hackers’ attempts at whaling. There are a few simple solutions you can employ to protect your business.
First, create password policies and protocols – for everyone. Require that all people who use your company’s network work only with complex passwords. This could mean requiring a certain number of characters, both lower- and uppercase letters, numbers, and symbols. And, don’t let people get too attached to their passwords; they should be changed every 90 days.
Then, take some time for basic security training of all employees, regardless of hierarchy. Even very smart, well-seasoned executives can fall for a scheme if they don’t know which clues suggest fraud.
For example, a CEO may get an email asking for past-due payment that appears to be from someone they trust. A busy executive may simply forward this email with an approval message to Accounts Payable. But, a hacker may have been watching how this executive handles such situations, counting on the fact that a spoofed email will result in a big payout.
User education encourages vigilance and could prevent these types of big losses. One tip that could save executives from falling for a whaling scheme is to hover their cursors over email addresses, which could reveal different addresses, thus exposing a spoofing scam. Protocols around exposure of such emails should also be developed. For example, if someone receives a suspicious email, it should be forwarded to someone in the IT department for investigation.
Technology can also be used to prevent whaling. Mimecast protects users from falling for clever scams by flagging external emails. This keeps users in a state of awareness and makes it safer for everyone – from the big fish to the little fish – to use email. BNC offers a wide array of security services.
To learn more about cyber security, please reach out to our security experts.