SOCIAL ENGINEERING | 5 MIN READ
In the 17th century, whaling was a common term to describe the hunting of whales for the oil their blubber produced. Today - whaling still exists, but there is a new version of it that has become a common social engineering practice. If you're a business owner or C-level employee, whaling is a very real threat for you.
In Las Vegas, the term "whale" is used to describe gamblers who are prepared to bet large sums (small fortunes, actually) of money at the casinos. They're treated like royalty wherever they stay, as the casinos aim to encourage them to spend as much time on their property as possible.
The more time they spend on-site, the more money the casino stands to make.
What is a Whaling Attempt?
Much like the Vegas example above, whaling is a form of social engineering that targets "whales," or in this case, business owners and C-level employees (CEO, CFO, etc.).
An attacker (usually a hacker), will attempt to gain access to a C-level computer through various phishing techniques.
Phishing tactics are the most common form of cyber social engineering. Phishing is where cyber criminals disguise emails as a trusted source (like a financial institution). The email would contain malicious links disguised as reputable ones. Once a victim clicks on a link, a virus of some type would be uploaded to the victim's computer.
This creates a perfect opportunity for ransomware to be implemented, jeopardizing sensitive information, and at times, costing a business millions (both in reputation loss, data loss, and any ransom payout).
C-level employees and owners are great targets for this because they often have tremendous amounts of sensitive data (potentially of their own personal data) that can be very valuable to a hacker.
The most effective part of a phishing attack is that a hacker will usually play the long game; meaning, a person who experiences a phishing attack often received the malware months or years prior. This makes it incredibly difficult to find and remove any ransomware.
What Can Be Done?
Whaling is just a term to describe the type of victim a hacker is targeting, but anyone can become a phishing victim. All you need is the internet.
So, what can be done?
Companies who are serious about protecting their sensitive data often turn to training programs that create real-world scenarios by sending uninfected emails to their employees, all while utilizing phishing techniques. These disguised emails test the likelihood of someone clicking a malicious link.
If an employee does get caught clicking a fake malicious email, they receive the prize of an online training session so that the can be better educated - instead of the prize of their company's sensitive information being exposed.
If you don't have the resources to have an in-house person shoulder the responsibility for these cyber drills, the option of hiring a managed IT services provider is out there.
A good rule of thumb to use:
If an employee doesn't recognize the source (or they don't usually receive emails from that source), don't click on it!
Whales - I mean C-level employees - are people, too. They should be as vigilant as their employees, because one wrong click could send your company out of business.
Want to Learn More?
Posted by Daniel Gray
Daniel has a passion for educating and helping people and has spent over a decade in the education and office technology industries. He has a Bachelor's in Education from the University of West Georgia and an MBA from the University of Georgia. Daniel has been the lead blogger at SOS since 2017 and specializes in managed IT services, copiers and printers, and business phone systems. He lives in Atlanta and has a goofy greyhound named Ticker.