What is Whaling? An Online Danger Worse Than Phishing

Finn Orfano
Categories : Smb security ,Computing
Tags : Computing smb security topics phishing

Page content

Whaling

The criminal art of phishing has been around for years, but now the crooks are going after specific targets and this new practice is called whaling. With a little bit of training and experience, it is pretty easy to tell when somebody is trying to phish your account information. Whaling can be much more difficult to notice because the efforts of the criminals are more focused.

With phishing, someone poses as a representative from a company such as PayPal or a bank, and they try to swindle people out of their login information. It’s a very wide range process usually done through spam, and countless numbers of people are targeted. Whaling, on the other hand, involves someone going after a specific target and formulating messages to appeal specifically to that target. In many cases, the person being whaled is a high profile executive or some other powerful figure who stands to lose more than the average Joe.

The name of whaling is a fitting moniker because it describes going after a ‘bigger fish’, which surely would be an executive. When someone is being whaled, their initial contact might not be some generic ‘Dear sir/madam’ message, but might actually include their specific name, job title, or more. Thanks to the web, it is quite easy to gather a lot of information about high ranking corporate executives, and scammers use this information to tailor their messages specifically to those people.

Once contact is made, the victim is most often tricked into opening some kind of file attachment that contains embedded code that allows a hacker to take over their computer, browse their files, and more. Once infected, the victim could have valuable personal data stolen, company information thwarted, or worse. Just imagine all the private information that might be housed on the computer of someone in a high ranking position of a Fortune 500 company, and how that data could be used against them or the company. The wrong kind of information getting out could cost people jobs or even put a company out of business.

I have always stood by the belief that most virus infections are caused by the computer user because they failed to follow basic security protocol when it comes to opening unfamiliar email. Sometimes it is tough to resist the temptation of opening that file attachment, but all it takes is a simple double-click to infect a machine. Even worse, you may not even know your computer’s security has been compromised until it is too late.

When it comes to whaling, phishing, virus prevention, or any other kind of computer security issue involving email, the same rule always applies - If you are unsure, don’t open that email. The people sending out these viruses and malware have the same virus and malware scanners as everyone else, so they develop new ones that won’t be detected at first. I’ve personally encountered PC infections where I had to wait several days for new malware scanning definitions to come out that addressed the problem I was dealing with.

PC security starts with the user, and no matter how high up in the company they may be, that user still needs to exercise caution when opening email from unfamiliar senders.