Just when you thought you had managed to train your employees to spot and avoid phishing attacks, along comes another fishy email scheme: whaling. Teaching your employees to spot these attacks will help prevent your company’s assets from being harpooned.

Why is it Called a “Whaling” Attack?

Phishing attacks tend to target individuals — the employee who gets a request for a personal password, for example. Whaling describes attacks in which the crooks pretend to be someone like the CEO or CFO, asking an employee for business information or assets. Whaling describes this type of attack because the crooks are targeting a company (which is bigger than an individual) and impersonating the “big fish” at the company.

What Compromises a Whaling Attack?

1. Scammers gather a plethora of information from the company’s website, the company’s social media postings, and professional sites like LinkedIn.
2. The crooks create an email account that spoofs the company’s domain. They may use a similar name (e.g., xcompanymail.com instead of xcompany.com) or an extra extension (e.g., xcompany.com.co instead of xcompany.com).
3. A phishing email is sent to someone in the company who has access to the information or money that the criminals want.
4. The email’s recipient acts on the email because he or she didn’t check the authenticity of the message.
5. A transaction takes place, which sends the information or money to the crooks.

Why do People Fall for These?

The success of whaling attacks typically occurs because people are too busy to double-check the email; too afraid to disobey what looks like an urgent, possibly angry email from a boss; and too trusting of that same boss, assuming that any request that comes from that boss must be legit.

How to Spot Them and Stop Them!

Tell your employees whaling exists, first of all; then stage test attacks so employees can get a sense of what an attack might look like. You can also booby trap the system with features such as emergency passwords, email domain filters, and two-factor authorization and authentication for transactions.

Whaling is a threat, but you can avoid it with the right training and protection. Start working with online security consultants now to identify and strengthen weak links.