Hackers Aiming to Land the Big Phish

11 Oct 2016

Hackers Aiming to Land the Big Phish

Hackers are adaptive and opportunistic creatures, so it is no surprise that some have adapted their phishing attempts in order to land the biggest fish - in this case the CEOs and executives of companies in a technique known as whaling.

What is Whaling?

Whaling is a type of phishing attack that is aimed at C-level or top-level executives. A hacker uses social engineering and computer intrusion techniques to get as much information as they can on their targets. By scouring social media channels such as LinkedIn, they can collect personal data and information that can then be exploited to put their schemes into action.

The scammer also collects information about how an organisation’s emails are laid out and structured in order to make them look as authentic and believable as possible. Often the attacker will pretend to be a CEO or senior executive and send messages to employees lower down the management chain asking them to transfer money or sensitive data. The employee, not wanting to disappoint senior management, often completes with the request without question. In the most serious cases, this has resulted in millions of pounds of company funds being sent to accounts controlled by criminals.

A recent example was seen in August when a whaling attack deceived finance staff at Leoni AG into transferring £34 million into a bank account of the hackers choosing. In this case, it was the company CFO who was the target. She received an email spoofed to look like it came from one of the company's top German executives.

Why is it so successful?

It makes sense from the hacker’s point of view. Why waste your time targeting lower level workers, or a business as a whole, when you can make significant criminal gains by targeting the big fish at the top. The scammer relies on workers desires to impress senior managers and uses this behaviour to their advantage. Often an employee, no matter how odd the request may be, will want to make a good impression and not disappoint their employer.

How to tackle the threat?

As with many cyber threats, education is key to limiting the risks.  Training  employees and executives on what to look out for and how to avoid becoming a victim, can reduce the threat dramatically.

PGI’s GCHQ accredited Cyber Security Awareness (CSA) and Executive Cyber Awareness (ECA) courses are great places to start in educating a workforce.

Have you suffered a cyber security breach and need advice? Contact our FREE cyber surgery. For more details click -  http://bit.ly/2cdS7r7

For the latest PGI updates like our pages on LinkedIn – PGI,  PGICyber   Facebook– PGI,  PGI Cyber  and  Twitter


Share this article

Contact us

Call us now to discuss your requirements with one of our consultants.

Contact us today

Related News

CISMP, CISSP and CISM - what's in an acronym?

20 Mar 2017

There is a wide range of different security courses available, and a mind-boggling array of certific...

Watch Video

International Womens Day - Pioneering Women in Tec...

08 Mar 2017

Pioneering Women in Technology – Katherine JohnsonThe Oscar season has been and gone. The...

Watch Video

Law Firms and why they need cyber security

06 Mar 2017

Suffering a data breach can be devastating for any company but for law firms the impacts can be part...

Watch Video
Back to the News Hub

Follow us

+44 (0)207 887 2699
©2017 PGI - Protection Group International Ltd. All rights reserved.
PGI - Protection Group International Ltd is registered in England & Wales, reg. no. 07967865
Registered address: Cascades 1, 1190 Park Avenue, Aztec W, Almondsbury, Bristol BS32 4FP