Narrow by location

Whaling Cyberattacks: What You Need to Know

Technology

from Carr, Riggs & Ingram

Cyberattacks are here to stay—partially because the financial result is lucrative for the criminal and partly because the bad guys can easily hide from law enforcement. It seems to have started with three common types (one of which that has morphed) and have taken off in the below order:

  1. phishing*, which includes blast emails designed to entice the reader to click on a bogus link or attachment,
  2. vishing, which is basically phishing utilizing cell phones to replace email as the vehicle, and
  3. pharming, which involves controlling personal computers via servers and/or routers.

*Recently, phishing has evolved to include spear phishing—an attack directed at a specific target versus indirectly to a group of people—and led to the latest (and perhaps “greatest,” if you will) of these threats: whaling.

What is a Whaling Cyberattack?

Simply put, a whaling cyberattack is closely related to spear phishing, but the target is a much bigger “phish.” Specifically, a whaling attack is directed at CEOs and other executives. The email or web page seems more authentic because the cybercriminals take the time to capture not only an email address but also some other key and specific information—often a correct job title, direct phone number, names of other key executives, and sometimes even circumstances particular to that entity—that is included and/or pre-populated.

CRInsight

This “targeted” information is sometimes, if not often, available on an entity’s website. Additionally, some cybersecurity experts believe that this type of information is also being sold on the black market.

Whaling cyberattacks also differ from phishing because the goal is bigger than stealing a victim’s identity. These cybercriminals are harpooning for control of the executive’s personal computer to determine passwords and gain access to critical digital assets, information, and confidential information.

How Is the Whaling Net Cast?

Often the whaling email is related to “official” business, such as a subpoena supposedly being issued against the executive or a complaint filed with the Better Business Bureau. The email often uses icons and language that seem official, and it usually conveys a sense of urgency (e.g., a threat for non-responsiveness). In reality, hidden underneath the blubber of an attached “subpoena” document or the necessary software download are malware (usually a Trojan/keylogger)—or the email includes a hyperlink directing the victim to an infected website.

Don’t Let Your Employees Become Victims of a Whaling Cyberattack

This new threat has been quite successful to date. The FBI estimates that 10% of whaling email recipients becoming victims. Call CRI to engage our cybersecurity professionals for help building an education and training program that better protects your business from whaling attacks.

The Maturing Construction Technology M&A Environment

By Andrew Henderson, FMI When it comes to technology deployments, the construction industry is severely lagging other industries.... »

Protecting Your Company Against Executive Impersonation Fraud

from Carr, Riggs & Ingram A company’s employees are generally expected to strive to protect the organization from... »

4 Steps to Assess Your Cybersecurity Risk

from Carr, Riggs & Ingram Do you know where an attacker could break through your company’s cyber defenses?... »

Sensors Advance Safety and Productivity in Access Equipment

By Jennifer Stiansen, Construction Executive Reposted with permission from constructionexec.com, February 1, 2018, all rights reserved. Copyright 2018. Since... »

LEAVE YOUR COMMENT

Your email address will not be published. Required fields are marked *