Corporations around the world are being increasingly targeted for cyberattacks, many demanding ransom in exchange for the return of stolen data.
However, it isn’t just corporate data that is being targeted, senior executives are finding themselves in the crosshairs too. These individuals are referred to as “whales” due to their “big fish” status within corporations.
What results is called a “whaling attack.” These attacks look for sensitive company information, such as personal information of employees, in the hopes of a large payoff.
“The ‘whales’ are carefully chosen because of their influence, authority and access within the company,” says cybersecurity firm Upguard based in Mountain View, Calif. “In some cases, scammers may pose as the CEO or other corporate officers to manipulate victims into authorizing high-value wire transfers to offshore bank accounts or to go to spoofed websites that install malware.”
The cyberattacks we usually hear about involve major companies and organizations such as cities, school districts, manufacturers, cruise lines, insurance companies and even the Republican National Committee in the U.S.
In Canada, prominent contractor Bird Construction was recently targeted and forced to pay ransom. However, companies of any size can be victimized. According to a Statistics Canada survey, more than one in five Canadian companies were hit by cyberattacks in 2017. The number is certainly higher today. As was the case with Bird, most were accompanied by ransom demands.
Less publicized are whale attacks.
Whale attackers are sophisticated and patient, moving beyond the familiar quick-hit social media tricks and email scams.
Upguard says this makes whale attacks “more difficult to detect than typical phishing attacks as they are highly personalized and only sent to select targets in an organization.”
Whale attacks do not always include ransom demands. Usually attackers attempt to steal funds from company coffers or gather personal employee data that can be exploited.
For example, in 2016 multimedia messaging app Snapchat told the FBI that its employee payroll data had been revealed. A similar breach at data security firm Seagate Technology exposed employee income tax data that left them open to identity theft and possible tax refund fraud.
“The majority of cybercriminals using whaling attacks tend to invest heavily in the attack to make it seem as legitimate as possible, due to potentially high returns,” says Upguard. “This could include gathering information from public social media profiles such as Facebook, Twitter and LinkedIn, engaging with the organization via email to understand how the company structures email addresses and email signatures, and gathering general company information like job titles, names of colleagues, third-party vendors and any details exposed in previous data breaches.”
For example, the personal social media pages of executives may contain sensitive details such as birthdays, addresses, hobbies and friends — information that can build a foundation of “friendly actions” for further dives into more sensitive information.
As a result, the attacks are usually cleverly crafted in a way that suggests a good understanding of the company’s language and the executives’ personal information. Sometimes a follow-up phone call to an email is included to simulate a real-world interaction.
Cyberattack prevention is already costing companies a lot of money.
Statistics Canada reports in 2017 companies spent an average of $78,000 on cybersecurity measures, with large corporations allocating $1 million or more.
However, efforts to prevent whaling attacks must go beyond general corporate systems to include individual security awareness training for senior executives and their key staff.
“Train employees to look at the domain name of the sender, confirm requests over a separate channel or in-person and avoid opening unsolicited attachments,” says Upguard.
The company also suggests that mock whale and social engineering attacks be staged regularly to rehearse corporate and executive data theft prevention procedures.
In the face of these growing threats, all companies must recognize that their senior management could be targets of a whaling attack and must therefore put in place processes to reduce vulnerabilities at the highest corporate levels.
John Bleasby is a Coldwater, Ont. based freelance writer. Send comments and Inside Innovation column ideas to firstname.lastname@example.org.