When it comes to fishing, it’s usually the bigger the better. The same is true in the cyberworld: when cybercriminals want to go big, they invest their time and effort into going after the executives at your organization… a technique known as whaling.
To put it simply, whaling (also known as CEO fraud) is spear-phishing against senior executives. You know, the ones who have all the access and influence. The corner office mafia.
Once cyber criminals compromise those whales, they often pivot to a technique known as business email compromise (BEC), where they impersonate the execs and carefully craft personalized emails asking employees to make large transfers or share sensitive data. They leverage the authority and influence of the person being impersonated to convince you there is no need to ask further questions about their request. P.S. your fear of questioning your boss is exactly what criminals take advantage of.
To make their requests even more believable, cyber criminals use legitimate looking logos and links and incorporate them in their emails. They also make use of information about their targets they find on social media. It can be a photo from a wedding you attended last weekend or a post where you mentioned having fun at team building drinks last evening. Those are enough for a cybercriminal to compose an intro saying: “hope the party last weekend was great!” which makes their email look that much more credible.
Given the highly personalized character of whaling and business email compromise, whaling can be difficult to spot. But it’s not impossible. Here are some things you and your organization can do to spot the biggest phish in the sea...
Whaling is big and very profitable for cybercriminals. But don’t get intimidated by the big phish. They aren’t so scary when you know what to look for!