What is a whaling attack?
As we noted at the beginning, this is a variant of phishing. What sets it apart from others is that it targets people in leadership positions in an organization. For example, directors, presidents and managers. This option turns out to be very effective because it is done using Social engineering methods. Remember that the latter aims to convince people to take an action that involves using their personal information, such as exchanging access data for a specific account or performing an “emergency” bank transfer.
Let’s dwell on urgency. From the moment a cybercriminal manipulates victims to capture this sense of urgency, they will simply do what is required of them. This will be the case even if the action is not entirely reasonable. We know that in despair or a desire to avoid any inconvenience, anything could be done. Whaling is one of the attacks that is most profitable to those who conduct it, mainly because its victims work in financial institutions, payment processing organizations, or technology companies that offer front-line services.
Basic attacking strategies
The National Safety Agency explains in great detail how whaling is done. This guide will show you the most important and recommended things to do to avoid falling prey to whaling. First of all, it’s nice to know that until recently phishing was considered unique, that is, anyone could fall prey to the same type of malware. e-mail.
However, the intervening years have allowed cybercriminals to gain more knowledge of key terminology from business, industry, and background information that only victims could understand. The email message that serves as a bridge for whaling is disguised as one of the many messages a boss, manager, or director receives on a daily basis. Reports, balance sheets and even personal and corporate banking transactions.
This is the importance safety awareness of these people with high positions. Unfortunately, it is customary for them to have the bias that nothing will happen to their data and that they can do whatever they want on the Internet, both in the workplace and in person. This naivety is used by cybercriminals to use social engineering and implement this terrible variant of phishing.
Receive email after call
This is one of the simplest but most effective methods. The cybercriminal communicates with the victim, asks some questions that make the victim feel confident. In addition, it can be expressed in such a way that you can convey that sense of urgency so that you can confirm the data as soon as possible. In this case, email.
A common scenario is that the attackers pose as the victim’s trusted suppliers or contacts. How can whaling become so specific? Before carrying out an attack, an attacker could otherwise compromise the victim’s data, such as their contacts in Google, Outlook, and others. Thus, it is easier to be able to “disguise” yourself from someone the victim trusts.
The victim will be so confident in the email messages that they will not even take one of the key measures to prevent phishing – verification of email addresses. Let’s give a random example: example123 @ redeszone.net it is not the same as example_123 @ redezon.net We note that there are similarities between both directions and many times, due to a hustle and bustle or other type of situation, the victim does not take those few seconds to confirm if someone contacted you has really good intentions.
Social media for personal and professional use
Along with this person’s email content, their social media profiles provide a lot of information for whaling. Professional social media accounts such as LinkedIn can provide a lot of information about the victim’s network of contacts. If you use this platform, you may notice the fact that every time you enter your contact’s profile, it appears if it is your contact on the first, second or third level of the connection.
In this case, if it is from first level (1st) Most likely, this is a contact with whom you communicate often, your relative or someone you trust. You do not perceive this, but any type of social network provides information about you to a large extent, and this is useful for attackers.
We know that we can be somewhat extreme and, in any case, do not have an account registered with any portal at all. Thus, no one will know about us and what we are doing. However, communication has taken our lives in such a way that it is impossible to avoid sharing personal data, even if we are as careful as possible.
We must emphasize the latter: caution Whether you are an organization manager or a regular user, you should pay more attention to your online activity. Remember that phishing in any of its variants can appear at any time and benefit from your data or your financial resources. It is very difficult to recover from the damage this type of attack can cause, so there is no need to hesitate in situations such as “extreme urgency”.