Attackers Are Having a Whale of a Time 

Many historic New England towns once featured a profitable commercial whaling industry. Fortunately, that has been banned in most parts of the world, replaced by whale watching trips popular with tourists and locals alike.

The humpbacks might be off the hook, but there is a new kind of “whaling” on the scene. It’s a subset of phishing aimed at a high-level targets such as small business owners and executives. And it’s only building in popularity – whaling attacks increased an estimated by 200% in 2017.

Go Big or Go Home

If an attacker can fool a so-called “whale,” they could get to the top tier of information: financial data, employee information, intellectual property, business plans, and more. Business owners and executives are tempting prey:

  • They often have the most access to financial accounts and sensitive business data.
  • They have the authority to make things happen quickly inside the business, typically a key appeal for cybercriminals.
  • They usually have high level business system and network access.

A successful attack can have a huge payoff. In 2016, the CEO of an Austrian aircraft manufacturer lost the company €50 million falling victim to a whaling attack. The company struggled to recover, and the CEO, the CFO, and several other employees were subsequently terminated. Had the same attack been targeted at a lower-level employee, they wouldn’t have had the authority to make such a large transaction.

Attackers Go Into the Deep

Phishing attacks are often carefully crafted to look very real, but whaling attacks start with deep research and are micro-targeted:

  • Emails contain highly personalized details, referring to real employees, customers, and projects.
  • Requests often play into authority, intimidation, or panic.
  • Whalers use real business terms and a professional tone to mimic emails from trusted parties.
  • Attacks are sometimes coupled with a fake phone call or other social engineering tactic.

Part of the issue is, it’s getting easier for attackers to find information to craft an attack. Business owners and executives are high profile, they have to be. Personal and professional social media and the company website and blog are full of content for a convincing whaling attack.

Whalers also know that high-level managers are busy and under pressure. Executives frequently field legitimate requests for sensitive information and large payments, so an attack might not be immediately obvious.

Dodging the Harpoon

Educate yourself and any senior management on the warning signs of a phishing attack, and common examples of a whaling attack. Be sure to review emails methodically – we’re all busy, but taking that little bit of extra time could mean the difference. To start, always ask yourself: “Am I expecting this email?” If the answer is “no,” it requires more research, even if the sender appears to be someone in your own organization. If there is any doubt, don’t hesitate to call the sender at their publicly posted number. They can confirm legitimacy and will be happy to see that you take cybersecurity so seriously.

Stay Safe,

Your Friends @ Defendify

Resources & insights

Why You Could Be Denied Cyberattack Insurance Coverage
Blog
Why You Could Be Denied Cyberattack Insurance Coverage
As you’re working toward achieving robust cybersecurity, the subject of cyber attack insurance coverage is sure to enter the discussion. Maybe you’ve already delved into this topic, as cyber insurance has become an essential cornerstone of every information security program. Many overriding factors will affect your ability to obtain and retain the coverage you need at a reasonable rate—and a successful approach is tied closely to a comprehensive cybersecurity posture.
Cost of a Cyberattack vs. Cybersecurity Investment
Blog
Cost of a Cyberattack vs. Cybersecurity Investment 
Detailing the cost of a cyberattack versus the ROI of a cybersecurity investment enables leadership to see cybersecurity solutions are worth it.
Defendify Listed as a High Performer in Six G2 Grid Categories
Blog
Defendify Listed as a High Performer in Six G2 Grid Categories
The Defendify Cybersecurity Platform has been listed as a High Performer in six Summer 2022 Data Security Software Category Reports on the technology review site G2.

Protect and defend with multiple layers of cybersecurity

Faster. Smarter. Stronger.

Explore layered
security

Learn more about Defendify’s three key layers and All-In-One cybersecurity.

How can we help?

Schedule time to talk to a cybersecurity expert to discuss your needs.

See how it works

See how Defendify’s platform, modules, and expertise work to improve security posture.