Received an email from your company CEO? Beware, this could be a ‘whaling attack’
‘Whaling’ is a sophisticated form of cybercrime through which cybercriminals target high-profile or senior executives of a company, by posing as its CEO.
A ‘whaling attack’ is a sophisticated form of cybercrime in which cybercriminals target high-profile or senior executives of a company, with an aim to deceive them into revealing sensitive company information or to make them transfer money.
How is whaling different from other methods of cybercrime?
Whaling differs from phishing scams in that the latter targets non-specific individuals. ‘Spear-phishing,’ on the other hand, is similar to a whaling attack in that both target particular individuals.
Whaling, however, goes a step further, with criminals impersonating the company CEO or senior manager so that the victim has no option but to reveal the information the ‘CEO’ wants them to.
Any alternative name for whaling?
For the aforementioned reason, it is also sometimes referred to as a ‘CEO fraud.’ It is called ‘whaling’ because those targeted are ‘big phish (fish)' or ‘whales,’ as are those under whose names the emails are being sent (without their knowledge, of course) to the victims.
What methods are deployed for whaling?
Email spoofing (crafting convincing emails so that these appear to have been sent by the real CEO); social engineering (to gather information about the target so as to personalise the message); and impersonation.
How to prevent a whaling attack?
This can be done by educating employees about such an attack and training them to recognise suspicious requests. Other methods include a multi-factor authentication (MFA) for extra level of protection for sensitive accounts; email authentication protocols, regular security audits, and an incident response plan.
Any recent incident of whaling?
In 2016, a Snapchat HR employee was tricked into revealing payroll information of ‘some current and former staffers.’ More recently, as many as six cases were reported from Pune last year, including one involving global vaccine major Serum Institute of India (SII).