Whaling: Computer Rescue Security Bulletin

There’s a new scam in town. It is called “whaling” and it has had an impact on our clients and friends already. You might be aware of “phishing” exploits, where a user is presented with a fake version of a web site, such as a bank or email account, that allows the attacker to get the user’s login credentials. Typically they then send out the email saying “help, I am trapped in some place and need money wired…” using the account. Or you might be familiar with “spear phishing” which is similar but is targeted to a specific group of users and employs information to make it seem personally relevant and allow an attacker access to specific accounts or companies.

Whaling, on the other hand, involves a request to wire funds to a specific account. While every attack could be different, the request is typically from the CEO or principal of an organization to the treasurer, accountant or bookkeeper and states that we need to wire funds but it is important to keep it private, we cannot even discuss it face to face. They may have an excuse; for example, they might claim, “we are buying another company and have entered an NDA,” or something to that effect. The attacker will use knowledge of the company including corporate structure, email addresses and signatures, bank account information or other items that may be gained by inside information or public sources like the Secretary of State, Town Clerk, Post Office, etc. They may even register an email domain very similar to yours to make the request seem more legitimate.

To prevent your company from becoming the victim of whaling, establish a clear policy stating  that you will not make confidential requests to make purchases or move money without confirming it in person (or through another means you trust). Please be aware that these attackers would try to fake a phone call or email conversation just as easily. Making everyone aware this could happen should help everyone be more alert to anything that is amiss! According to one source I found, 1 out of 10 of these scams are successful. Having the conversation with your employees now may save you.

Comments are closed, but trackbacks and pingbacks are open.