KYOCERA Document Solutions
KYOCERA Document Solutions
  • EN United Kingdom

    • Change language

    Change country

    How to avoid the harpoon

    The rise of Whaling attacks
    How to avoid the harpoon

    Ever heard of whaling attacks?

    They're like phishing but with a twist. Instead of targeting normal people like you and I for our bank details and passwords, whalers go after the big fish — senior executives and key players in organisations who have influence and access to valuable info.

    While phishing is more of a scattergun approach, whaling is all about precision.

    Whalers blend email, WhatsApp and LinkedIn to craft messages using impersonation, fakery and urgency as key tactics to get you to give up what they want, typically resulting in financial or reputational loss.

    Why Whaling is Harder to Spot

    Phishing emails are usually easy to catch because they flood your inbox with identical messages. Whaling, on the other hand, is sneaky. These attacks play on the egos and emotions of executives, making them tough to defend.

    Social media gives away so much personal info, whalers have a treasure trove of data to inform and tailor attacks. They know where you work, who you hang out with, what conferences you attend, and even where you go on holiday or walk your dog!

    How to Identify a Whaling Attack

    So, how do you know if you're being targeted? Here are some red flags:

    • Strange requests that don't make sense
    • Links that seem out of place
    • Attachments you wouldn't normally get from the sender


    Always be suspicious – I can’t recommend this enough. The most common whaling trick is an email that looks like it's from one exec to another. A quick check with the supposed sender via a different platform can save you a lot of trouble.

     

    Whaling is a Serious Threat

    We often think we're just another fish in the pond, but whalers use this to their advantage. It takes seconds for them to gather your name, job title, and phone number. Suddenly, you're on their sonar without even knowing it… until it's too late.

    Deep dive on B2B tactics: WhatsApp & LinkedIn

    It’s not all about attacking by email today, many successful whaling attacks reel in their victims by leveraging social media platforms, for research or harpooning their prey using impersonation, fakery and urgency as key tactics, and it’s more common than you think, for example.

    WhatsApp

    CEO Impersonation

    Cybercriminals pretend to be a company CEO, sending messages to the finance department requesting urgent transfer of funds. Attackers use information gathered from social media and company websites to make messages seem legitimate. [1]

    LinkedIn

    CEO Impersonation

    Attackers gathered information about a company's CEO & other executives to craft a convincing email that appeared to come from the CEO, requesting an urgent wire transfer. The finance department, believed the email to be legitimate, transferring a significant amount of money to the whalers. [5]

    Vendor Fakery

    Posing as trusted vendors, whalers contact a senior executive to request payment for a supposed invoice. The message included details that matched the company's recent transactions, making it seem authentic. [1]

    Vendor Fakery

    Whalers used LinkedIn to identify a target company’s key partners. They impersonated these vendors, sending detailed messages to executives requesting payment for fake invoices. The messages were convincing, leading to substantial financial loss. [1]

    Urgent Business Matters

    Urgency pressures their victims into acting without thinking. Here attackers sent messages seemingly from a high-profile executive, claiming an urgent matter required immediate attention on the premise that the request would not be verified. [2]

    Social Engineering

    Whalers build rapport with their targets over time, gradually gaining their trust. Once the relationship is established, they request sensitive information or financial transactions under the guise of legitimate business needs. [3]

    Social Engineering

    Cybercriminals use LinkedIn to build a detailed profile of their targets, including their professional connections, recent activities, and interests. They use this information to craft highly personalised messages that appear to come from trusted colleagues or business partners, making attacks difficult to detect. [6]

    Fake Invitations & Job Offers

    Cybercriminals are known to send WhatsApp messages inviting executives to speak at or attend fake conferences or events. The messages include links to malicious websites or requests for personal information to register for the event. [4]

    Fake Invitations & Job Offers

    Whalers use fake LinkedIn profiles to pose as recruiters from well-known firms. They target senior executives with enticing job offers, asking them to provide personal information and even financial details as part of the ‘recruitment process’. This information is then used to launch further attacks.

    Stay out of the water to guard against whalers’ research tactics

    Kyocera Cyber provides a broad range of technology and services that unify to maximise protection, resilience and compliance for our customers and strengthen their human layer. Everything from cyber assessments, disaster recovery and backup to authentication, identity and access control services to to endpoint detection and response (EDR) and phishing defence services are available individually or under a fully managed service provision. Find out more

    1. Limit Public Information

    Encourage employees, especially executives, to limit the amount of personal and professional information shared on social media and other public platforms. This makes it harder for whalers to gather detailed information about potential targets[7].

    2. Implement Strong Security Policies

    Help prevent employees from falling for whaling attacks by enforcing strict security policies that include guidelines on how to handle sensitive information and verify unusual requests.[8].

    3. Use Multi-Factor Authentication (MFA)

    Implement MFA for all accounts, especially those with access to sensitive information or financial resources. This adds an extra layer of security, making it more difficult for attackers to gain unauthorised access[8].

    4. Conduct Regular Training

    Provide regular training sessions to help employees spot and report suspicious emails. Simulated phishing exercises can be particularly effective in raising awareness and improving detection skills[8].

    5. Monitor and Quarantine Suspicious Emails

    Use advanced email filtering and monitoring tools to detect and quarantine suspicious emails before they reach employees' inboxes. [9]

    6. Verify Unusual Requests

    Encourage a culture of verification where employees double-check any unusual requests, especially those involving sensitive information or financial transactions. A quick phone call or face-to-face confirmation can prevent a lot of potential damage[8].

    7. Keep Software Updated

    Ensure that all software, including email clients and security tools, are regularly updated to protect against the latest threats. This helps close any vulnerabilities that attackers might exploit[9].

    By understanding these tactics, you can better protect yourself and your organization from falling victim to whaling attacks. Always verify unusual requests, especially those involving sensitive information or financial transactions.

    [1]  https://phishgrid.com/blog/worst-whaling-attack/
    [2] https://www.comparitech.com/blog/information-security/what-is-whaling/
    [3] https://www.comparitech.com/blog/information-security/what-is-whaling/
    [4] https://phishgrid.com/blog/whatsapp-phishing-attacks-awareness/
    [5] https://www.compassitc.com/blog/what-is-a-whaling-attack-with-examples
    [6] https://www.fortinet.com/resources/cyberglossary/whaling-attack
    [7] https://www.secureworld.io/industry-news/company-in-crosshairs-of-whaling
    [8] https://hoxhunt.com/blog/whaling-phishing
    [9] https://veepn.com/blog/whaling-attacks/

    Cookies and your privacy

    We use essential cookies to make interactions with our website easy and effective, statistical cookies for us to better understand how our website is used and marketing cookies to tailor advertising for you. You can select your cookie preferences using the 'Preferences' button below, or select 'I agree' to continue with all cookies.
    See our Cookie Statement See our Cookie Statement

    Cookie preferences

    Field is required

    We use cookies to make sure that our website is working properly or, occasionally, to provide a service on your request (such as managing your cookie preferences). These cookies are always active unless you set your browser to block them, which may prevent some parts of the website from working as expected.

    Field is required

    These cookies allow us to measure and improve the performance of our website.

    Field is required

    These cookies are only placed in case you give your consent. We use Marketing cookies to follow how you click and visit our websites in order to show you content based on your interests and to show you personalised advertisement. Currently you do not accept these cookies. Please check this box if you would like to.

    You can find a full list of cookies in our Cookie Statement. You can find a full list of cookies in our Cookie Statement.