Whaling – hacking minds, not computers

While the cyber-security industry is dead certain that ransomware is on the rise, a similar tactic that doesn’t rely on exploiting network security, but the heads of employees, is also seeing an increase.

Whaling, a type of business email compromise, is named for its targeted approach on company executives as opposed to going after the ‘small fry’. Unfortunately, there are few advanced threat protections, anti-virus products or email and spam filtering solutions that will defend the minds of employees from being hacked.

Cybercriminals will typically pull off a whaling attack slowly. Months will be spent collecting intelligence on the inner structure of an organisation, identifying the power players and where important assets lie.

Then, just before the gang is ready to pounce, they’ll construct an email address as close as possible to that of an executive or senior member of the organisation. On the day of attack, a member of the IT support team or finance department will be contacted. The message will seem like it’s from a member of the organisation’s command structure.

The tone is often urgent, intended to make the employee work as fast as possible and not think about the questionable integrity of the correspondence. Before long, the ‘executive’ will get that employee to hand over computer security credentials, or even large wire transfers. With that, the company has been successfully whaled.

Companies have lost vast sums of money due to this practice over the last couple of years. One Bitcoin broker lost millions to someone who impersonated the CFO last year. Seagate, a hard drive manufacturer, is now being sued by its employees for falling victim to a whaling attack which allowed its tax records to be stolen.

But where traditional network security might fail, there are other defences that might insulate the workforce from this kind of social engineering attack. As always, the best countermeasure for a creative hacker is training. Employees must be taught to know when something is fishy; knowing what to look for in a legitimate email is key, as is learning how to verify a sender’s identity and getting secondary approval when filling out money order requests.