img img img img

Whaling / Big Phishing

Whaling / Big Phishing

Of course it is a metaphorical whaling operation, which in reality is the whole operation of designing, preparing and carrying out an attack on a person of high social standard (CEO of a corporation, senior manager, prominent public or simply wealthy person) who has control of a large corporate, property or monetary resource. A wailing attack is activated through social engineering techniques and is designed to encourage victims to perform an action, such as transferring large sums of money, sharing or disclosing confidential, critical information.

To carry out this type of attack, a huge amount of public information available on the Internet is used to build an adequate profile of the victim, the parties (such as people and organizations) he/she contacts and an assessment of the resource he/she controls. Information from corporate websites, public financial reports and social networks such as Linkedin, Facebook and Twitter support and facilitate this process.

The possibilities of the attack can be all-encompassing i.e. if hypothetically it is a senior manager, then one can select his direct or indirect employee pre-profiled with low resistance levels – or in other words an employee who is susceptible to phishing attacks. With modern technology, artificial intelligence and an ocean of public data – it’s not hard to identify at all. Various combinations and steps can be used as long as they contribute to the success of the attack. Sometimes the attack may go through several employees or people before the finishing touch is applied. In other cases, the target may be direct to the particular senior manager, assuming that his or her level of resistance is low in a given context.

It’s the turn of the cherished email – the one that holds the key to Pandora’s box. The target is chosen, the context is clear, and the medium and content are prepared:

“Hey, we missed discussing project costs at the last meeting. Could you send them to me?”

“To the attention of …, please find enclosed an invoice for the latest changes… ”

“For the attention of …, please be advised that the invoice has not yet been paid. We are using this email to forward it to you again. If the amount is not transferred within the day, we will request the seizure of your accounts and assets.”

The email, domain, and sender may only roughly resemble the authentic senior manager or counterparty, but it is enough for the victim to be in cognitive overload from circumstantial factors and overwork to miss these fine details and respond to the inquiry, open a link, download a file, and from there secondary and tertiary events follow until the attack is finalized and its damage measured.

Here are some tips:

  • Develop and inform your teams and employees – especially if they hold a resource that can be exploited against yourself.
  • Remember that the above plot is quite possible and anyone can fall into it
  • Use simulations of real threats. In this way, the real ones can be much more easily and earlier identified, and thus prevented.
  • Develop the right culture and values;

Developing and training you and your employees is an investment in a more secure future. We are here for you!