Building Modern Business

01424 460721

enquiries@astec.email

www.astec.website

Data SecurityWhale PhishingAstec’s Guide To Protecting Your Business

DefinitionOf A Whaling Attack

What Makes Whaling Attacks Successful?

It is not just SME’s at risk to whale phishing. In 2016, the

social media app Snapchat fell victim to a whaling attack

when a employee was emailed by a cybercriminal

impersonating the CEO and was tricked into releasing

employee payroll information.

SnapchatA Whaling Attack Victim

Snapchat reported the incident to the FBI,

offered the employees affected by the leak free

identity-theft insurance and have since trained

staff to deal with this threat.

The term ‘Whaling’ comes from the fact that a usual target will have a significant or important role in the company i.e. a

big fish. ‘Whales’ are used in the spoofing in the hope that the role or authority of the position will encourage the

target to act on the request without questioning it.

Whaling attacks are often successful as they are a personalised attack rather than a generic spam email. Whaling

attacks can be successful depending on the amount of information available. If your organisation has a ‘meet the team’

page that displays the name, role, email address and contact details of all your staff then an attacker can use this

information to not only build a spoof profile but choose an appropriate target within your organisation.

Whaling attacks are difficult to identify as they are so personalised and rely heavily on social engineering to trick the

target. These attacks have become increasingly popular due to the potentially large sums of money involved and

therefore attackers will also spend more time on a particular target than a typical malicious attack.

1

Building Modern Business

A whaling attack is a malicious attack on a company

or organisation for financial gain or to steal

sensitive information. A whaling attack differs from

traditional hacking and phishing attempts in that

the attacker will use information they have

gathered from the internet to impersonate a

working colleague. An attacker can use this

information to build a profile of an organisation. A

common example is an attacker impersonating a

key member of staff such as a director or CEO and

asking someone in a finance role for a sum of

money to be transferred urgently.

www.astec.website

Building Modern Business

Assume It’s FakeNever enter your account credentials for

any service into a web page unless you are

100% sure it’s the real thing, look for https

and don’t follow email links to login pages.

Tips To Prevent Whaling Attacks

Are You A Target For Whaling Attacks?The more information you have publicly available, the more you put yourself at risk of becoming a target for whaling

attacks. By presenting lots of information about your staff and their contact details on the web, a hacker will have

more information for building a profile to target your organisation. Think about your ‘meet the team’ or staff page on

your website. If you have a detailed list of staff, their roles, contacts details and other information, then the attacker

has more firepower to build a personalised attack.

How Do Whaling Attacks Difffer From Typical Phishing Attacks?Phishing attacks generally involve an attempt to gain a user’s credentials through a generic email such as asking you

to sign in to verify your account. Phishing attacks are often sent in volume and are easier to detect due to the

generic content and the location of links included in the spam email. Whaling attacks are a more targeted attempt

and often bypass a spam filter as the content does not require the inclusion of a malicious link.

3

Whaling attacks will often start with a probe email to test the success of a hacking

attempt. This may be something as simple as sending an email asking for a response,

once a response has been received to the spoofed account, typically they will then

attempt to obtain sensitive information or more likely, a transfer of money. Phishing

attacks cover a broader spectrum of malicious hacking attempts and are often

generic or targeted at a large group of people rather than a personalised

attack to a small group or single person.

Threats to security are greater than ever and come in

ever more sophisticated forms. Astec will provide you

with advice and guidance on avoiding being caught by

whaling attacks, but this represents just one area of your

security landscape.

2

Need Further Support? Astec Is Here To Help

www.astec.website

Educate Your Team Introduce simple but effective processes for

money transfers and educate your team –

never rely on an email request alone to

initiate money transfers.

Use Multi-layer SecurityUse multiple layers of security solutions

that go beyond the basic spam filter and

antivirus software and consider

multi-factor authentication.

We design, build and deploy secure environments that

work for you and our security team can provide detailed

audits, security reviews and solutions to keep your

business and your data safe and compliant. Speak to our

security experts today.

Building Modern Business

Years of experience

Becoming a Microsoft Gold Partner has been achieved by investing in our team for over 25 years. This means you have access to the most

skilled and knowledgeable people to help your business grow.

25

01424 460721

enquiries@astec.email

www.astec.website