Support 416-591-6711 option 1 or Email Us

Whaling: Spear Phishing Executives and Cybersecurity

Fri, 21 Jun 2019

You’re being hunted. Whales have long been hunted for their useable parts, especially their blubber which was made into oil, a product of increased import during the First Industrial Revolution. Now, at the rise of the Fourth Industrial Revolution, whales are still being hunted but for a more valuable commodity in today’s economy, data. The reality is that if you’re a Canadian business executive, then you’re a whale (no offence) and cybercriminals are hunting you much like Captain Ahab went after Moby Dick. You can take it as a compliment if you want, cybercriminals think that you are big game. 

Whaling: Spear Phishing Executives and CybersecurityCybercriminals are tailoring their spear phishing techniques to infiltrate businesses more effectively. Whaling is growing more common and is another form of spear phishing only with larger prey in mind. The goal is to hook senior executives who have privileged access to secure company resources. Whaling can target an executive for money or confidential company information. In common spear phishing scams, the messages received may be disguised as correspondence from PayPal, Amazon or a bank. The fraudulent email usually contains a frightening message that an account will be closed, or that an account has been attacked, or an outlandish charge has been placed on it. The account’s owner is encouraged to log in and verify or face the consequences. Whaling builds on established, trusted business relationships and is, therefore, harder to spot. The messaging has a more severe and business-like tone and is masked to appear as coming from an appropriate vendor, department or employee.

Whaling example #1: The urgent email

A whaling email is directed to an executive, who has the power to dole out money. The executive receives messaging that seems to come from an applicable department or employee. The legitimate-looking and often urgent message directs them to send funds to an account that also seems legit but is actually controlled by a cybercriminal. Whaling, like other phishing schemes, requires internal information that is hard to obtain. The messages, or website you’re directed to, seem real, and only on close inspection can the difference between a fake and a real message be determined. It can be as minor as a 0 instead of an O being used in an email. Whaling exploits our busy lives wherein details may be missed. Whaling also thrives on our instinct to believe what’s in front of us if it appears to be from a person with whom we have a trusted relationship.    

Whaling example #2: The website login

The executive may be directed to a regular-looking website that mimics one they are familiar with. The website asks, as it usually does, for login credentials. They comply. When they hit the submit button, they get an invalid or incorrect login warning and are denied access. The site instructs them to try again. Typos in logins are commonplace, they presume that they just hit the wrong key. They reenter their information and continue onto the website. Nothing to worry about.

That was the scam. 

They entered their information into a masquerading site. That site can't log them onto the real site because it is fake and doesn't actually connect to the real site. The executive's login information is sent to the phisherman, and they are redirected to the actual website. When they try to log on the second time, it works because they are now actually on the real site. Unbeknownst to them, they just gave up their username and password to a cybercriminal. The phisherman who stole their information can now access that site, and all of the data or money associated with it.

Whaling example #3: The download

Instead of clicking on a link, the executive may be asked to download a business file or a program. The request could be masked as a program required to view a particular image or document. The program could be real, or fake, either way, there will be a malicious attachment (malware) that will track the executive’s computer activity including everything they type (passwords), everything they open (data) and everything they delete (old files that are no longer important to their job but still contain private information). Or the file could have ransomware attached, and when it downloads, it locks everything on their computer until a specified amount of money is paid to free the device. Freezing business computers and therefore disrupting business operations has a bigger payout for criminals then holding personal computers for ransom.

If you’ve been targeted, you’re not alone

The 2017-2018 Canadian Internet Registration Authority Survey of 1,985 Canadians who owned a ".ca" domain indicated that 85% of them had received a phishing email, 19% reported ransomware hits, and 32% reported that their users had revealed sensitive information unintentionally.[i] In the 2018 Canadian Cyber Threat Assessment, the Canadian Centre for Cyber Security predicted that cybercriminals would be the utmost cyber threat that Canadian businesses of all sizes would face in 2019. Cybercriminals target Canadian businesses for data about “customers, partners and suppliers, financial information and payment systems, and proprietary information.”[ii] The stolen data can be used by a competitor, sold, or held for ransom. The costs of lost information go beyond ransom payments. The real financial damages come as a result of a loss of reputation, diminished productivity, disruption to the operation, loss of intellectual property, and the cost of recovery. In 2018, the average cost to a Canadian organization per breach was $3,700,000.[iii]

Cyber schooling

In Moby Dick, Herman Melville wrote that “Ignorance is the parent of fear.” There is nothing to fear if you are educated, aware and prepared. One path to protecting your company from cyber-attacks and phishing scams is through user education. Education should be mandatory for all employees, including high-level executives. Part of the training should be teaching users how to identify phishing and whaling schemes and what action should be taken if they receive one. Phishing simulation exercises can train users to be wary of what they click and help them to get in the habit of checking for phishing indicators.

Every company needs a sound cybersecurity strategy in place so that its parameters are defended from infiltration. Cybercriminals are persistent and continuously change their phishing strategies. No one cybersecurity measure can prevent phishing attacks. Instead, companies need to take a layered security approach to reduce attacks and diminish their impact should they occur. There are a variety of network security solutions that should be implemented including email and web security, protection against malware, and access controls. Creating a comprehensive and cohesive security strategy is vital to your organization’s cyber safety. Speak with an ISA Security Solutions Advisor about ensuring that cybercriminals aren’t phishing in your company’s waters. With the right training and the proper cybersecurity, you’ll be prepared when the phishermen come. 

Remember, at the end of Moby Dick, the whale won.   


‹ Back