Whaling is a form of cyber attack that has been gaining popularity over the past several years.
It is a very potent method of targeting its victim, as a means to extort money or other critically-important information from them.
This cyber attack involves sending its high profile victims a slew of phishing attacks, often masked as being from prominent individuals or entities, done through email spoofing, social engineering, content spoofing, and other creative approaches.
Such emails frequently lead the victim to a website specifically created for this specific purpose in an attempt to gain access to their personal or company information.
Websites created in lieu of this cyber attack are meticulously crafted and cater well to the needs of the victim, with such sites showcasing information related to the victim that is easy to fall for.
The term related to this form of cyber attack is quite spot on with the targets it keeps in mind, the big “whales,” or the individuals at the higher strata of management or society.
To put things into perspective, this cyber attack specifically frequently targets the higher echelons of management, as could be seen from the websites tailored with a personalized touch to them.
Standard phishing attacks tend use a broader approach, where the websites fathomed are quite generic in nature.
While whaling attacks are done to exhort important company information, phishing attacks are typically done to exhort social media passwords and bank account details.
What is the objective behind Whaling?
The whole objective of this cyber attack is to trick high-profile individuals, with end goals such as the victim venting out company information.
The brains behind such information could be possible competitors who may have hired hackers to carry out this job for them in an attempt to gain access to vital company information.
They could then opt to use the newly gathered information to correct the course of their own strategies.
Another objective could be to monetize such a cyber attack, wherein the victim would be coerced into depositing money into the hackers account.
This extortion would be done to prevent the victim from getting fired, having to dole out legal fees during legal battles, or just to save his personal image or his company’s image.
How does this cyber attack work?
Following the example of targeting business managers, the cyber attack would likely involve sending out emails to top management of various companies and leading them to a website wherein they may divulge important company information.
Alternatively, the attacker may request the information in other forms of communications.
Such whaling emails usually disguises themselves as being one from an important authority relevant to the individual, either within or outside the company.
Upon entering such a website, the victim could to enter their login information in one of the standard whaling tactics variations.
The website that the victim lands at would resemble the one that he’s familiar with and is easily tricked into doling out his information.
Once he enters his information, he receives the “incorrect password” prompt, with the hacker having received his information.
The victim would then be redirected to the genuine version of the website and be none the wiser.
Another form of this cyber attack may involve having to download PDF or Microsoft Word documents with spurious viruses embedded in them.
Downloading such files leads to the onset of viruses on the victim’s PC, which track all his movements and keyboard inputs, resulting in the completion of this cyber attack.
How to avoid one from falling prey to this intricate cyber attack?
First, it’s important to test the genuineness of the web page one lands at.
A secured web page is marked by a green padlock next to it, and would have the words “Secure” etched to it on some browsers.
Second, it’s highly recommended to avoid downloading files from unknown sources.
As has been mentioned above, they may carry viruses that may infect the victim’s PC, leading to a loss of data and information.
Lastly, if someone claims to be an important entity either internally or externally, it’s important to confirm their identities.
It could be done over the phone or through face to face conversation.
This ascertains that the email is from a genuine person and not an online thief.
Recipients of suspected whaling emails could also reply asking to meet them to confirm.
It is important to note that a majority of managers fall prey to such a phishing scam and end up conveying important company information to the attacker.
A vigilant approach is the need of the hour, to make certain that one doesn’t fall prey to whaling.
After all, it may lead to one losing their job and their professional credibility.