Also known as a CEO attack, the Whaling attack belongs to the family of phishing scams and is designed to trick users into performing a specific action.
In a Whaling attack, the criminals mimic themselves as a part of the higher management, mainly the CEO of the company to trick other key personals in the organization and fool them into giving their financial and confidential information. It is mainly designed to conduct illegal activities, steal sensitive data, or gain unauthorized access to the user’s device.
Phishing attacks are usually non-specific while on the other hand a Whaling attack is quite specific and when an email appears to come for the CEO of the company there are greater chances for the users to fall into the dirty tricks of the hackers.
Examples of A Whaling Attack
One of the most popular attacks occurred in 2016, when a higher management employee at Snapchat received an email from the CEO and was tricked into disclosing the employee’s payroll information.
Another one targeted Seagate, where an executive was tricked into disclosing the income tax data of the company’s employees.
A similar incident happened when an employee on the request of the CEO (through a phishing mail) wired around $17.2 million to different branches of the Bank Of China.
Looking at the above-mentioned examples of a Whaling attack, it is clear that we need to be fully prepared and aware of the tricks used by criminals to conduct phishing attacks.
Tips to Prevent Being A Victim Of Whaling Attack
Here are a few simple and effective tips that will help you identify and counter this type of attack.
- Educate employees about security measures: Educate employees on how to identify a Whaling attack, its characteristics, and conduct regular security measures training.
- Teach them to validate the email ids before replying to any emails that they receive from within and outside the organization.
- Establish multi-layer protection measures to safeguard sensitive information from social engineering attacks.
- Establish data protection policies and place proper mechanics to flag any suspicious activity.
