In light of some recently reported events, we want to highlight a common cyber-attack that everyone should be aware of – “whaling”.
Whaling is a type of email phishing scam aimed at getting an employee to transfer money or send sensitive information to a scammer acting as a trusted source via email. Whaling is extremely easy to fall for and often results in significant financial losses.
These e-mails can be difficult to catch because they appear to be harmless, and have a normal, friendly tone and no links or attachments. They will appear to come from a high-level official at the company, typically the CEO or CFO, and often ask you to disclose sensitive information or initiate a wire transfer.
What To Watch Out For
• Doppelganger: Whalers may utilize fake e-mail domains that look similar to your own domain. Watch out for things like: [EMAIL]@[VARIATION ON DOMAIN]. (Example: You have a friend/colleague named Lucy with an email address of lucy@hotmail.com but you get an email from lucy@hotmail1.com.)
• Sense of Urgency: Whalers will often ask you to do something such as send money immediately or change direct deposit info, stating that they’re busy, in a meeting, or on vacation, for example, and can’t do it themselves.
• E-mail Only Communication: Since whaling relies on impersonating an employee via a fake, yet similar email address, they will often ask you not to call with questions and only reply through e-mail for varying reasons.
What To Do
If you receive an e-mail that you suspect to be a whaling (phishing) attempt, or if you are unsure of an e-mail’s legitimacy, please do not respond. Instead, reach out to the person you have received the email from and verify if they did send the email. If they did not send the email then mark that email as SPAM and contact your Help Desk Support to make them aware of the email.
If you do not have Help Desk Support, you can follow the steps below:
Step 1. If you got a phishing email, forward it to the FTC at spam@uce.gov and to the Anti-Phishing Working Group at reportphishing@apwg.org. If you got a phishing text message, forward it to SPAM (7726).
Step 2. Report the phishing attack to the FTC at ftc.gov/complaint.
Keep your network, and your people, safe from these threats. Feel free to contact us at blog@thetechservice.com with any questions or concerns.