You might have heard of phishing and even spear phishing, but what about whaling? Despite these names’ nautical themes, they all refer to various types of cyber attacks that aim to hook you as the hapless fish. Whaling attacks can be particularly dangerous.

You might have heard of phishing and even spear phishing, but what about whaling? Despite these names’ nautical themes, they all refer to various types of cyber attacks that aim to hook you as the hapless fish.

Whaling attacks can be particularly dangerous. But before we get into what this is all about, you’ll need some background on the other types of online attacks that make up the main parts of whaling.

The Mechanics of a Whaling Attack

There are two main components to a whaling attack. First of all, there is the “whale” itself. This is a person who is fairly high up in the organization – usually, someone who has the authority to move around and make payments. Alternatively, it might be someone who has access to sensitive information, such as HR records or customer data. Anything that a potential hacker might find valuable.

The second part is the role that the attacker takes on. The trick with whaling is that you have to pretend to be even bigger than your target. So if your target is a senior accounts manager, you should be the VP of accounting, for example.

C-level executives are often impersonated, which is why whaling can be seen as a hybrid of phishing and CEO fraud. However, it stands to reason that hackers would not choose to impersonate someone that the victim would know too well since it would make it easier to detect them.

Before attempting the hunt, the hackers spend much time preparing. They will research both the target and the person they plan to impersonate. Preparation may also involve creating fake websites, spoof email addresses, and anything else they need to fool their mark.

When the attack is executed, it might be elaborate, with multiple stages leading up to the final payoff. Otherwise, it could be a hit and run – a quick email asking for information or transaction approval, which is designed not to raise any alarms because of how plausible and common the request is.

How to Spot a Whaling Attack?

Whaling attacks are tougher to spot than regular phishing attacks because of how much research the attackers put into it, which means that the main warning signs are technical in nature. That is, the email address will be spoofed. Any links to external sites are likely to be fake as well.

On the social engineering side, the email might have strange language use or feel weird somehow within the existing corporate culture. New C-level executives might be at higher risk of impersonation since current employees don’t know them well enough to spot when something is off. A new senior from outside the company might not yet know standard procedures or how email communication is typically handled, which helps disguise an attacker’s lack of insider knowledge.

How to Prevent and Deal With Whaling Attacks

So how can you mitigate against whaling attacks? The first and most important step is cyber security training for key seniors who are likely to be targeted. Provide them with a checklist of things to review from a technical standpoint whenever they are asked to move money or hand over sensitive information that should not be public.

Flagging outside emails automatically can help prevent spoofed addresses from fooling targets in the organization as well. Emails that contain URLs should also have warnings attached to them.

There should also be a two-factor process for certain sensitive requests. This can be as simple as a phone call to the person to confirm that they did indeed send the message. More sophisticated methods, such as communication over private encrypted chat, can also be used to ensure that whaling emails won’t just be obeyed without question.

People who are likely to be impersonated, such as C-suite executives, should also be trained in good privacy habits, such as limiting what they share on social media. As always, it’s people – and not technology – that prove to be the largest security weakness.

This post appeared first on TechNadu.