Whaling refers to malicious hacking that targets high-ranking executives. Similar to phishing, whaling is where the hacker hunts for data that they can use, but they focus on high-ranking bankers, executives, or others in prominent or powerful positions in an organization. Hackers will search for public information on the target to convince the victim that they are legitimate. Whalers also attack their ‘Whale’ targets by hacking into the company networks where these high-ranking executives work and then target those executive’s computers with malware such as keyloggers or remote access trojans (RAT).
A real-world example of Whaling happened in an undisclosed business where a number of executives fell for an attack laced with accurate details about them and their businesses. The attacker pretended to be from a United States District Court with a subpoena to appear before a grand jury in a civil case. The email included a link to the subpoena, and when recipients clicked the link to view it they were infected with malware instead.
What should SMB’s do about Whaling?
Protect and educate your C-Suite on the dangers of posting too much information on social media that is open to the public. The more information a hacker can research on a CEO or CFO, the easier it is to attack them with a Whaling email attack. This advice also helps prevent hackers from targeting other employees at your company with bogus emails purportedly from the C-Suite executive with novel and convince phishing schemes based upon the hacker’s research.
SMB PROTECTIONS BEYOND PATCH MANAGEMENT
In addition to adopting a patch management system, CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:
- Adopt a password manager for better personal/work password hygiene
- Require two-factor authentication on any SaaS solution or critical accounts
- Require 14+ character Passwords in your Governance Policies
- Train employees to spot and avoid email-based phishing attacks
- Check that employees can spot and avoid phishing emails by testing them
- Backup data using the 3-2-1 method
- Incorporate the Principle of Least Privilege
- Perform a risk assessment every two to three years
