Hackers are adaptive and opportunistic creatures, so it is no surprise that some have adapted their phishing attempts in order to land the biggest fish - in this case the CEOs and executives of companies in a technique known as whaling.
What is Whaling?
Whaling is a type of phishing attack that is aimed at C-level or top-level executives. A hacker uses social engineering and computer intrusion techniques to get as much information as they can on their targets. By scouring social media channels such as LinkedIn, they can collect personal data and information that can then be exploited to put their schemes into action.
The scammer also collects information about how an organisation’s emails are laid out and structured in order to make them look as authentic and believable as possible. Often the attacker will pretend to be a CEO or senior executive and send messages to employees lower down the management chain asking them to transfer money or sensitive data. The employee, not wanting to disappoint senior management, often completes with the request without question. In the most serious cases, this has resulted in millions of pounds of company funds being sent to accounts controlled by criminals.
A recent example was seen in August when a whaling attack deceived finance staff at Leoni AG into transferring £34 million into a bank account of the hackers choosing. In this case, it was the company CFO who was the target. She received an email spoofed to look like it came from one of the company's top German executives.
Why is it so successful?
It makes sense from the hacker’s point of view. Why waste your time targeting lower level workers, or a business as a whole, when you can make significant criminal gains by targeting the big fish at the top. The scammer relies on workers desires to impress senior managers and uses this behaviour to their advantage. Often an employee, no matter how odd the request may be, will want to make a good impression and not disappoint their employer.
How to tackle the threat?
As with many cyber threats, education is key to limiting the risks. Training employees and executives on what to look out for and how to avoid becoming a victim, can reduce the threat dramatically.
PGI’s GCHQ accredited Cyber Security Awareness (CSA) and Executive Cyber Awareness (ECA) courses are great places to start in educating a workforce.
Have you suffered a cyber security breach and need advice? Contact our FREE cyber surgery. For more details click - http://bit.ly/2cdS7r7