Whaling is a type of scam aimed at getting you to transfer money or send sensitive information to a hacker acting as a trusted source via email.
Whaling is extremely easy to fall for and can result in significant financial losses to you. Whaling can also be much easier to fall for than your typical phishing attack and has the potential to be much more destructive.
Whereas phishing scams target non-specific individuals and spear-phishing targets particular individuals, whaling doubles down on the latter by not only targeting those key individuals but doing so in a way that the fraudulent communications they are sent appear to have come from someone specifically senior or influential at their organization. Think of them as “big phish” or “whales” at the company, such as the CEO or finance manager. This adds an extra element of social engineering into the mix, with staff reluctant to refuse a request from someone they deem to be important.
The threat is very real and growing all the time. The payroll department at Snapchat received a whaling email seemingly sent from the CEO asking for employee payroll information. Last year, toy giant Mattel fell victim to a whaling attack after a top finance executive received an email requesting a money transfer from a fraudster impersonating the new CEO. The company almost lost $3 million as a result.
These whaling e-mails can be difficult to catch because they appear to be harmless, and have a normal, friendly tone and no links or attachments. They will appear to come from a high-level official at the company, typically the CEO or CFO, and often ask you to disclose sensitive information or initiate a wire transfer.
Here are a few things to watch out for in a typical whaling attempt:
Doppelganger: Whalers may utilize fake e-mail domains that look similar to a domain you know. Watch out for things like: email@variation-on-company-domain.
A hurried tone: Whalers will often ask you to send money immediately, stating that they’re busy or in a meeting, and can’t do it themselves.
E-mail only: Since whaling relies on impersonating someone via a fake, yet similar email address, they will ask you not to call with questions and only reply through e-mail.
If you receive an e-mail that you suspect to be a whaling attempt, or if you are unsure of an e-mail’s legitimacy, please do not respond.
Remember, in general, no one from companies you do business with will ever request personal information, usernames, passwords, or money from you via e-mail.
With ProtectIQ™, you will receive the internet security you need. ProtectIQ is a network-level security application that works quietly in the background and proactively keeps malicious websites, viruses, and intrusion away from your home 24×7.