Whaling (aka CEO fraud or business email compromise) is a type of phishing attack that exploits the influence senior executives have over lower level roles, such as CEOs over financial executives or assistants. They usually target executives in the HR or financial departments because they have access to financial or sensitive information, which is what cyber criminals crave.
Whaling attacks in short
Scam artists collect information about how a company’s emails are structured and written, and prepare a copy that has to convince the victim of the authenticity of the communication. The message looks like it has been sent from a senior manager’s email account, and usually asks for a money transfer or confidential files. And that’s the bait: whaling attacks exploit the desire to favourably impress and be helpful to senior roles. No matter how strange or unusual the request is, a careless employee will do what is asked to make a good impression on the sender. Wouldn’t you?
Mattel and Snapchat hit by whaling attacks
Large corporations are the preferred targets for these attacks: the size and frequency of interaction between the top and bottom levels of the organisation increases the chance of success – money legally transferred and sensitive information gone for good.
At Snapchat, the payroll department received a whaling email pretending to be sent from the CEO asking for employee payroll information. At Mattel, a high-ranking financial executive received an email from a scammer impersonating the newly appointed CEO requesting a $3 million money transfer. Both whaling attacks succeeded.
Always be suspicious and ask for direct contact
Mattel’s example shows how everyone can be exposed to a whaling attack, even top-level managers, and demonstrate the importance of seeking confirmation through a direct contact, even if it seems unnecessary. Mattel’s executive could have phoned his CEO for confirmation, for instance. Snapchat’s example teaches us to be always suspicious, even if the request seems legitimate.
Improve your readiness in detecting email scams
If you want to avoid falling victim of whaling attacks, you should take precautions every time you receive an email. Ask yourself: am I expecting that email? Is it making an unusual request? Why is the sender contacting me by email instead of by phone or in person? Being suspicious all the time helps you stay secure.
If you want to improve your ability to spot email scams, the Phishing Awareness e-learning course shows you easy tricks and techniques, as well as best practices to avoid swallowing the bait. Share these tricks with your colleagues by telling your HR manager about the Phishing Awareness e-learning course.