[Updated April 2020]
Whaling is another form of phishing that often targets senior management – it’s a type of social engineering that chooses a ‘High Level Target’ and attempts to encourage the victim to perform a secondary action such as, divulge sensitive information or wire transfer funds.
These types of phishing scams are highly targeted, sophisticated, researched and difficult to detect. Typically, they contain personalised information about the target or organisation, combined with a formal, corporate tone of voice to throw you off guard.
Whaling phishing is one of the biggest risks facing businesses as these types of phishing scams do not require a great deal of technical knowledge but can deliver huge returns.
Whaling emails often contain:
- A sense of urgency
- Personalised information about the target and/or organisation
- Corporate/business tone of voice and jargon
Examples of Whaling Attacks
Example 1 - Whaling phishing can appear to come from internal employees:
Example 2 - Cyber criminals may try to impersonate your customers or clients:
Example 3 -
As you can see in example 3, both emails are very similar and at first glance, you wouldn't think anything was awry until you check the sender email address.
But as you can see, the fake email (left) has a sense of urgency to it, they know the user probably uses Spotify and it features a corporate tone of voice with the same wording 'We're always here to help if you need it' that the real email (right) features.
So, what can you do?
1. Double check email addresses
As you can see from the examples above, the email may appear to be from a legitimate source, but after careful inspection, there may be additional letters, numbers or different email providers.
2. Train your employees
Provide training for your staff about whaling attacks and how to identify phishing emails.
3. Phishing Testing
Test your staff with fake phishing emails to see how many believe an email is legitimate, how many click on links or reply to the email - then provide them with the results and additional training if needed.
4. Multi-Step Verification
Enable multi-step verification for all requests for sensitive data or wire transfers.
5. Follow up phone call
If you're unsure about an email, speak to the colleague or customer who sent it. Don't reply or use the contact information from the email.
6. Do not click links in email
If you want to check your account on the website the email is referencing, open it in your web browser separately - do not click links in the email as they usually are followed by a fake website that's designed to steal your data as you try to log in.
7. Report it
Report the phishing email to your IT department - this may be one in a hundred emails that have been sent to your organisation and others may not realise it isn't genuine.
How can we help?
We offer a range of services to provide you with a multi-layered IT security solution for your business - our solution is designed to make you feel assured your cyber security is being managed proactively and appropriately. We can provide training for your staff on the warnings signs of potential cyber attacks and keep you up-to-date with the latest threats.
If you'd like to find out more, get in touch and see how we can help you protect your business against the latest cyber threats.