Implications of Whaling
Monetary loss
In a report by Phishlabs, 22% of all phishing emails analyzed in 2015 were motivated by financial fraud or other crimes. The FBI also reported that companies lost almost $215 million, in 2014, to phishing email scams, with whaling being one of the highest preferred methods.
Data loss
Cybercriminals use whaling emails to gain access to sensitive information that could be used for ransom or a data leak.
Reputation damage
Any data leak of personal information can easily damage a company’s reputation resulting in a loss of customers or revenue, especially in whaling cases, where the target is a high-ranking officer of the organization.
Some examples of Whaling Attacks
In 2016, an employee from Snapchat was deceived by an email that looked like the CEO had sent it. The employee disclosed all of the payroll information to the attacker.
An employee of Scoular Company, a commodities firm located in Omaha, transferred $17.2 Million to a Chinese bank account. The perpetrators sent emails that made appeared to be from the company’s CEO.
How to deal with Whaling Phishing Attacks?
Educate employees and yourself
Learn how to identify and protect yourself from suspicious emails. A study found that the click rate reductions ranged between 26% and 99% after employees underwent a phishing awareness program. Whaling attacks show that the need for Security Awareness also goes up to the C-level suite.
Establish multiple-step processes for sensitive actions
Companies should incorporate systems that require multiple-step processes for transmitting crucial information and initiating wire transfers. This process helps to establish authenticity and may significantly reduce the chance of falling prey to fraudulent emails.
Discuss appropriate Social Media behavior
Social media posts can help a cybercriminal gather relevant information to be used in a whaling attack. Educating employees about information that should not be disclosed on social media sites may prevent cybercriminals from using this information in a phishing attack.