I've heard of a phishing attack and understand its implications, but lately I've been hearing more and more about...
whaling attacks. What is a whaling attack and are there specific actions an enterprise should take to defend against it?
Whaling attacks are a sub-type of phishing attacks. According to the official WhatIs.com definition, "whaling is a type of fraud that targets high-profile end users such as C-level corporate executives, politicians and celebrities." Think of it like spear phishing against high-value, high-profile targets. Famous individuals including Paris Hilton were whaling victims before the term came to fruition. "Whales" are at increased risk due to the public nature of their personalities and lifestyles. Because there are additional risks to going after these targets, their service providers might also be targeted to get access to their clients' personal information.
If someone were to use pretexting to socially engineer a password reset for Paris Hilton's smartphone, the phisher could easily gain access again to whatever sensitive data she had saved on the device. Companies targeting whales as customers may want to keep these types of attacks in mind so they are not used to attack the whale itself.
While standard enterprise protections against phishing should already be in place in your enterprise, you may wish to target them toward your high-profile end users specifically. These individuals typically have the least amount of time available to attend security awareness training, so only include applicable targeted antiphishing security controls in your trainings. In an enterprise environment, additional controls may be helpful, such as:
- Limiting where an account can be used. This could potentially prevent a phisher from using the account even if credentials were phished.
- Reviewing all uses of the whale's accounts. Doing so won't stop an attack, but could help detect an attack and therefore prevent widespread access to the account.
- Sending the person's emails to a trusted assistant. While this wouldn't necessarily prevent an attack, it could help identify phishing emails, as the assistant could alert the whale that he or she shouldn't click on the link, or just delete the email.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ... Continue Reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common... Continue Reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.