"Whaling Attacks: The Silent Threat to Corporate Security".....by Gurjot Singh Kaler

Chandigarh: Have you received any email from the CEO or the top boss of your company asking you to immediately wire-transfer the money or share some confidential information urgently? If yes, it is time for you to treat it with utmost caution as it could be a serious ‘whaling attack’.

One of the most sophisticated cybercrimes in recent years has been the massive proliferation of whaling attacks in which the cyber criminals deceptively pose as the senior executives or high-ranking officials of any organisation or company and send emails to the targeted employees with the purpose of cheating, defrauding and causing reputational-cum-financial damage to the company.

In whaling attacks, the employees often fall victim to the clever trap of cyber criminals and wrongly believe that the email received by them is a genuine email correspondence from their senior executive and thus, they end up divulging sensitive company information to the fraudsters or transferring money to them.

In general phishing scams, the target is non-specific individuals. However, in contrast, the spear-phishing is quite similar to whaling attacks wherein the target is particular individuals. Whaling goes a step further which involves impersonating top executives of the organization to coerce the employees (victims) into disclosing sensitive information.

Whaling differs from spear phishing in the sense that the fraudulent message, email or communication to the targeted victim seems to have come from a senior executive or influential board member of the company. Due to its focus on high-profile targets, whaling is often termed 'CEO fraud.'

This adds an extra layer of social engineering into the scam, as employees are often hesitant to refuse demands from someone considered as important and influential in the organisation. Whaling, like spear phishing, targets specific individuals.

However, it differs by having the attacker impersonate someone the victim knows to gain their trust, setting it apart from both spear phishing and phishing.

The name 'whaling' comes from targeting 'big fish' or 'whales,' referencing both the prominent individuals targeted and those impersonated in the fraudulent emails. Whaling attacks use methods such as email spoofing (creating emails that appear to come from the real CEO), social engineering (collecting information to personalize the message), and impersonation.

In future, with the advancement of Artificial Intelligence (AI), the malicious actors would be able to easily target specific high powered and top-ranking individuals with highly targeted and personalised whaling attacks called as harpoon whaling attacks.

The harpoon whaling attack with its emphasis on the word ‘harpoon’ – a specific weapon especially used to hunt whales- is a highly targeted social engineering scam which involves creating emails with a high sense of urgency and contains detailed personal information about the targeted executive or individual with a focus to extract money or critical information from the victims or gain access to their computers for executing criminal activities.

There have been several cases of whaling attacks. For instance, in year 2016, the cybercriminals had tricked a Snapchat HR employee into divulging the secret payroll related information of some current and former staffers at the company.

Similarly, the toy company Mattel also suffered massive financial losses to the tune of around $3 million when a fraudster impersonated as the company’s new CEO and sent an email to a high-ranking finance executive to transfer money.

Hence, the threat of whaling attacks is real which needs to be identified and discussed in order to evolve right strategies for tackling it.

In whaling attacks, the cyber criminals generally use social engineering tactics in order to manipulate the trust of the victims and manufacture a sense of urgency. They personalise the attack by researching about the target’s background information, interests and professional relationship. Most of the times, they impersonate trusted entities and masquerade as prominent figures like CEOs, board members, business associates, or even close friends or family members.

In order to create an emergency situation for the targeted victims and ensure compliance, they concoct fake stories, fabricate documents, make convincing emails or phone calls which appears highly legitimate, urgent and tailored to the victim’s specific concerns.

Sometimes, they also try to give reference of certain specific events, news or internal issues happening in the target victim’s organisation in order to make the scam more trustworthy for the victims.

Moreover, the sender's email in whaling attacks often appears authentic, featuring believable addresses, corporate logos, and links to convincing fake websites.

Since high-level targets usually have significant trust and access within their organization, cybercriminals invest considerable effort into making these scams appear credible.

If you suspect a whaling phishing attack has happened, then take immediate action as follows:

1. Disconnect your computer from the network or internet to prevent malware spread.

2. Inform your company's IT department promptly to mitigate damage and warn others.

3. Scan your computer for viruses and malware.

4. Change your login credentials immediately to safeguard accounts.

5. Report the incident to security and law enforcement for investigation.

Tips to tackle whaling attacks-

Preventing a whaling attack involves educating employees to recognize suspicious requests, implementing multi-factor authentication (MFA) for sensitive accounts, using email authentication protocols, conducting regular security audits, and having an incident response plan in place.

• It is imperative to act vigilant and scrutinise any unexpected emails, calls, or requests even if they appear to be urgent and familiar. It is always helpful to encourage the employees of the organisation to develop a level of suspicion whenever they receive any email. The employees should always ask themselves if the request in the email or message received is unusual in any manner.

• It is important to verify everything. Just do not rely solely on email addresses or called IDs as these can be spoofed. Always make it a practice to contact the supposed sender through known and trusted channels to confirm their request.

• Do not get into a panic mode and take your time to ensure things are as per your satisfaction. Very often, the cybercriminals employ pressure tactics into forcing victims to make hasty decisions. Do not rush; be patient. Employees need to be trained and encouraged to adopt a questioning mindset. For instance, if an email seems plausible but differs slightly from the usual address, it’s a red flag. If Pwilliam@yourorganization.com typically emails you, but you get one from Peterwilliam@yourorganization.com, be cautious. Also, if a familiar name appears on an email from outside the organization, it could indicate a scam. DNS authentication services utilizing DMARC, DKIM, and SPF protocols can verify if an email from a specific domain is legitimate or fraudulent.

• Make it a lifelong habit to never share your any confidential or secret information like login credentials, financial data, etc., over phone calls or emails without running proper verification checks.

• Always use anti-phishing software for emails and keep the security firewall updated on your computer networks. It is advisable to use such anti-phishing software which is able to do URL (Uniform Resource Locator) screening and undertake link validation. Anti-impersonation software should be used which can be helpful to recognise the social engineering tactics frequently used by fraudsters in crafting whaling attacks.

• It is much better to depend upon multi-factor authentication as an effective prevention strategy against whaling attacks. All requests for money transfers or sharing critical and confidential information must pass through multiple levels of checks and re-checks of verification within the organisation before being permitted.

• Educate your employees about the whaling attacks and conduct routine cyber training exercises to keep them updated about the latest scenarios and best practices for cybersecurity. It is advisable to train the employees by conducting mock whaling exercise in order to know which staff members or employees of the company are vulnerable to falling victims to real whaling attacks. Employees should be trained to recognize attack signs, like spoofed email addresses. By hovering over a name in an email, they can see the full address and check if it matches the company's format. A cyber threat assessment of the organisation should be done on a periodic basis.

• Executives should be highly cautious when sharing information on social media platforms like Facebook, Twitter, and LinkedIn. Cybercriminals can use details like birthdays, hobbies, holidays, job titles, promotions, and relationships to create more sophisticated attacks.

• To reduce the risk of spoof emails, have your IT department automatically flag emails from outside your network for review. Whaling often tricks key personnel into thinking messages are internal, such as a finance manager's request for a money transfer. Flagging external emails helps spot fake ones, even for untrained staff.

• For internet scams, having two people approve payments is safer than one. This dual-approval system allows for a second opinion in the organisation and reduces the fear of punishment to one employee from a senior person, a tactic often exploited by attackers using social engineering.

In conclusion, whaling attacks represent a significant threat to organizations, leveraging social engineering tactics to target high-profile individuals. These sophisticated schemes, often masquerading as trusted associates, can result in substantial financial and reputational damage if not swiftly addressed.

By fostering a culture of vigilance, implementing robust security protocols, and providing ongoing training to employees, organizations can better defend against the dangers posed by whaling attacks in today's ever-evolving digital landscape.

Gurjot singh Kaler, AIG Excise and Taxation