Inside a Whaling Attack

As phishing attacks continue to rise in volume, more and more companies are being hit with whaling attacks, which are large-scale scams that go after the personal information of employees, as well as the financial information of companies. Online scammers usually trick executives into revealing company information through emails or spoofed websites.

Read More: Hackers Might be able to Take Control of your Smart Car

Learn how whaling attacks works, why they work, and ways to avoid them.

They Seem So Legitimate
Snapchat and Seagate have both fallen prey to whaling attacks in recent years. Part of the reason why they are successful is because they are highly personalized towards their target. For example, a fake email from a company executive might include the company logo, phone information and other details to trick the victim.

Whaling scams usually don’t use hyperlinks with malicious software, but hackers occasionally use this route as well. Attackers gather information from the company by examining the personal data of an employee on Facebook, Twitter, LinkedIn and other social media sites that may reveal something about the person.

Point-of-Sale Malware That Steals Data
One recent whaling attack that hit a company is a point-of-sale (POS) scam that relies on User Datagram Protocol (UDP) DNS traffic to extract credit card information. Instead of relying on HTTP to scam users, UDPoS uses Domain Name System (DNS) queries to steal data.

The scam works because the malware masks itself as an update from LogMeIn, which is a legitimate remote desktop service that companies use to manage computers and other systems. However, this malware is not actually an update from LogMeIn, but masks itself in order to avoid detection through firewalls and other security measures and steal card payment data. 

How to Avoid a Whaling Attack
Education is the key. Teach employees, senior management, and IT staff about whaling attacks. All staff should know how to differentiate real emails from spoofed ones, avoid unsolicited attachments, and discern fake hyperlinks. Conducting seminars on fake whaling attacks is a sound way to train employees. Another last measure for an IT department is to flag external emails if they’re coming from outside the company.

But, what can you do, personally? Try to enable safety settings on your private profiles so hackers can’t discover specific details about you, like your date of birth or information about your friends. Finally, be very careful about having work documents on your home devices such as a laptop or smartphone.