Security Memo 3: The Dangers of Whaling
**This is part of a series of memos, straight from Dan's desk, helping you understand more about easy security steps for your work and personal use. Read the second memo in this series.**
In an effort to further enhance your company’s cyber defenses, we want to highlight a common cyber-attack that everyone should be aware of – whaling.
Whaling is a type of phishing scam aimed at getting an employee to transfer money or send sensitive information to a malicious individual acting as a trusted source via email. Whaling is extremely easy to fall for and can result in significant financial losses. These e-mails can be difficult to catch because they appear to be harmless and have a normal, friendly tone and no links or attachments. They will appear to come from a high-level official at the company, typically the CEO, and often ask you to disclose sensitive information or initiate a wire transfer or buy gift cards.
A few things to watch out for in a typical whaling attempt:
- Doppelganger: Whalers may utilize fake e-mail domains that look similar to your domain. Watch out for things like: email@example.com (notice the missing "i") or firstname.lastname@example.org (not Fred's professional email, but a gmail account).
- A hurried tone: Whalers will often ask you to send money immediately, stating that they’re busy or in a meeting, and can’t do it themselves.
- E-mail only: Since whaling relies on impersonating an employee via a fake, yet similar email address, they will ask you not to call with questions and only reply through e-mail.
If you receive an e-mail that you suspect to be a whaling attempt, or if you are unsure of an e-mail’s legitimacy, please do not respond. Your best bet is to actually call the individual that you think it came from and verify if the email came from them. Even if the email says not to call, you should make the call anyway. When in doubt, do not do what the email requests.
By learning more about these common security attacks, you're helping to keep your network, and people, safe from cyber threats.
Chief Information Officer
Stay tuned for more memos from Dan's Desk in this helpful series on security.