What is Whaling?
Whaling is a particular form of a phishing scam that targets a high-profile victim such as a CEO, CFO or other executive, typically in a private company.
What’s the point of whaling?
Con artists with the proper skills may decide to look for a big “catch” instead of spending their time targeting smaller victims.
In other words, they hope that by focusing their efforts on a top-level company executive, they might gain access to a plethora of company records that reveal confidential information of employees or even the company’s business.
How does it work?
Just like a phishing scam uses malicious websites or emails to steal information from unsuspecting victims, whaling also involves the use of fake documents or websites.
Whaling scams often involve falsified documents that target upper-level executives, like a fake legal subpoena or a “warning” from the IRS or other tax authority.
These fake materials may include the company name and logo and the name of the targeted executive to make them appear legitimate.
The false documents or emails often prompt the executive to take immediate action in order to avoid a penalty or to protect the company and its employees from some other problem.
But there’s sometime dangerous lurking on the other end of that request.
According to Kaspersky, one well-publicized example of whaling occurred in 2008 when thousands of “high-ranking executives” in the United States received what they believed were subpoenas from the U.S. District Court in San Diego.
The alleged subpoenas were sent through emails, and each was personalized to its specific target and included names, phone numbers and other information.
The fake subpoenas ordered each executive to go to court, but in truth, the emails unleashed keyloggers on those executives.
Once each recipient tried to view the fake subpoena in the email, their computer was stricken with malicious software the logged their keystrokes and provided criminals with secret data.
Other previous whaling scams involved emails that appeared to be sent from the Better Business Bureau.
Sometimes, company executives are urged to take action due to a purported complaint against the business.
But like other scams, the person behind the email is only looking to hack into a computer system and steal private data.
How to protect against whaling threats
It’s believed the whaling scam that targeted executives in 2008 was sent to some 20,000 victims, and approximately 10 percent of them fell into the trap and opened up their company’s private information to hackers.
If you’re still not convinced of the threat, consider that in the first six months of 2015, Kasperky Lab’s anti-phishing system was set off around 80 million times.
As with other threats you could face, avoiding a whaling scam may be as simple as using common sense on websites and when viewing emails.
Think twice before clicking on any attachment sent to you, even if it appears to be from a legitimate source and includes logos, names or phone numbers.
For instance, if you believe the Better Business Bureau or a court has sent you an attachment, call that entity and inquire about the matter first, rather than trying to open the attachment.
You can also keep your computer safe by using updated security software like anti-virus programs.
If you own a business or are employed as a top-level executive, consider hosting a security-awareness training event for yourself and your employees.
Such programs can teach employees not only about common threats, but also about your company’s own policies and procedures related to the use of Internet and email.