Whaling Attack Scam Avoidance

I recently wrote about ransomware and the steps worth taking to protect your data, I omitted a very important one, whaling attacks…they are on the increase too.

A whaling attack is a more targeted attack, the fraudsters will most likely have done their research and specifically target senior management team members, being the whales, with the intent of stealing sensitive financial information, employee data and business banking details.

These attacks seem to be well crafted and sophisticated, often because the approach by email or website spoofing, appears to be from a trusted source. Further to this, the content is often knowledgeable too, knowing things like the targets name, job title and some relevant insight that builds trust with the target. The sophistication continues, with branding of the emails, logos, address and phone number as well as a legitimate looking website for those checking source credentials. All put together with hyperlinks and attachments that will either infect the target with malware and or extract information.
Spotting these attacks is often more difficult because of how well they are put together. To some extent it throws out the window ‘check you know or are expecting the email’ that we regularly remind all our clients staff with.

Steps to protect yourself

An executive will have earned their place by being quick and expert. So make sure you let them know whale attacks happen and the built in sophistication…the acumen of a longstanding exec in your business will take over from here.

Reduced senior exec contact details digital visibility
If possible, omit senior execs direct contact details, Google, LinkedIn, Facebook and your own website are places criminals can all too easily obtain everything they need…try to make it less easy for them.

Configure Internal Emails
Use your IT department to help ensure a unique look for internal emails. The trick and reason whale attacks have a reasonable success rate is they make the email appear as if it was coming from one of your colleagues internally.

Double check processes
Reduce risks by having a double check process, this in addition to a dual sign-off process. Assume this; that an attack might include the sender as the CEO, or senior team member, sending an urgent payment request to a member of the finance team, who on receipt of this could quite easily act on these instructions as being a legitimate task. Instruct team members not to query by replying to the instruction email, instead draft a new one from the trusted company email directory, or better still, pick up the phone to check if the originator really did make the request.

By Craig Warren

Share This

Get in touch

Interested in our services or need advice?

Our experts are here to help