Whaling is a type of scam aimed at getting someone to transfer money to a hacker acting as a trusted source via email. Whaling is extremely easy to fall for and can result in significant financial losses. Whaling is similar to phishing attacks; however, it is more targeted with an intent to victimized an organization’s high-level management staff or personal who control the financial processes.
These emails can be difficult to catch because they appear to be harmless often designed to have a normal, friendly tone and no links or attachments. They will appear to come from a high-level official, typically the CEO, Managing Partner, or CFO, and often ask you to initiate a wire transfer.
A few things to watch out for in a typical whaling attempt:
- Typo-squatting: Whalers may utilize fake email domains that look similar to your domain but are slightly altered (e.g., an “I” is replace by a lowercase ”L”, a “g” is replace by a “q”, etc.).
- A hurried tone: Whalers will often ask you to send money immediately, with a hint or a threat of adverse consequences if the requested action is not performed right away. This is especially successful if the email comes from an executive when they are on an airplane or in a similarly difficult location in which they cannot be reached by phone.
- Email only: Since whaling generally relies on impersonating an employee via a fake, yet similar email address, they will ask you not to call with questions and only reply through email.
- Updated wire instructions: Whalers may include a new set of wire transfer instructions, in an effort to entice payment to a different account other than your own.
If you receive an email that you suspect to be a whaling attempt, or if you are unsure of an email’s legitimacy, do not respond! Instead, call the intended recipient to confirm the request. Particularly when it comes to updated wire instructions, ensure you verbally confirm the wire instructions with your contact and be advised do not trust the number stated in the potentially fraudulent email.
Lastly, if you receive an email confirming receipt of a wire and your processes dictate that a voice callback is required to confirm receipt, call anyway. Criminals will very quickly and proactively verify receipt of a fraudulent wire to prevent the sender from confirming receipt with the intended party (in which case the sender would realize that the wire was, in fact, not received).
How BW Cyber Services Can Help
BW Cyber Services offers a variety of services which can help reduce risk associated with Whaling and other social engineering attacks. Our team specializes in cybersecurity program development designed to exceed regulatory expectations. Additionally, we perform mock phishing campaigns which can support your internal security awareness training programs by testing your employee’s susceptibility to phishing attacks which have been successful against your peers. Also, our team can provide custom-tailored cybersecurity training to your team to ensure they understand how criminals utilize whaling and other attacks to infiltrate your environment and/or effect fraudulent wire transfers.
If you have any questions or would like more information, please contact BW Cyber Services at firstname.lastname@example.org.