Whaling, an attack that addresses executives and is costly for companies
Quite a bit less known than phishing but much more frightening, whaling targets executives and managers. Thanks to artificial intelligence and painstaking research, hackers can reach out to their targets in a personalized way and obtain large sums of money from them.
Do we still need to explain phishing? For years, malicious phishing emails have been used in almost all computer attacks (more than 90%) directed towards companies. The objective is still the same and it is often achieved: to deceive an employee to create a breach in the company's computer network. This first information system compromise opens the way to all kinds of misdeeds, from ransomware to data theft, and even more sophisticated and targeted attacks.
But other types do exist, perhaps not so well-known, but very dangerous. Not necessarily new either (and often kept secret...), whaling is a type of phishing and always causes a lot of damage in companies. Whaling, also known as president fraud, is a targeted phishing that seeks to reach the company's executives and senior managers (literally the "big fish"), in order to induce them to make a substantial bank transfer. And it works pretty well.
Data leaks, social networks and cookies are full of information
Where "traditional" phishers rely on fear (Covid-19, etc.) or take advantage of current themes (sales, Black Friday, tax returns, etc.) to disseminate their emails on a large scale, whalers carry out extensive groundwork focused on their victims. The objective: to identify the target before attacking it, by gathering as much information as possible about the manager. And this information is not missing: it comes from professional or personal social networks, past data leaks or even browsing cookies.
With a bit of patience and good social engineering work, it is quite easy for a hacker to know that a new executive has just taken up his position in the company, to know the names of his main suppliers and even to gather information of a much more private nature: the vacation spot of the CEO or of his executives, their interests and hobbies, the name of their bank, etc.
This information is the foundation of a whaling email: highly targeted, containing personalized information and sent at the right time.
Let's make no mistake, this happens to many companies, even in France, and many of them have lost hundreds of thousands or even millions of euros. In 2018, taking advantage of the whaling or president fraud technique, hackers succeeded in getting employees of the Pathé movie chain to transfer huge amounts several times, for a final loss of more than 19 million euros!
Artificial intelligence offers automatic information gathering capabilities
In the last few years, phishing has changed its era: it is now doped with Artificial Intelligence. Hackers rely on AI engines that scan the Web and even the Dark Net for them, to gather relevant and detailed data on individuals and companies from a huge pool of data.
It has been proven that the increase in data leaks automatically generates an influx of phishing attacks and of course whaling attacks. It is moreover likely that the recent massive hacking of the Microsoft Outlook business email servers, which is widely used by small and medium-sized businesses, will provide hackers with an invaluable source of information contained in email histories and will result in extensive waves of phishing and whaling attacks...
A cyber culture to be taught within the company
Phishing, and even more so whaling, cannot be solved by using multiple security technologies alone. Technology is indeed a bulwark that can, for example, prevent a large number of emails from reaching their recipient, but it cannot guarantee it 100%. Therefore, the user must play the role of the last link in the security chain. Unfortunately, not only does it cost money to raise awareness of this type of attack, but most of the time, companies do not have experts capable of taking charge of the subject and spreading good practices. It is therefore up to the manager, who often has the most to lose, to take charge of the subject and gradually instill a cyber culture within his team.
This requires actions to raise awareness and education (what is phishing? How to recognize an attack of this type? etc.), but also by implementing more elaborate approval processes for sensitive actions: for example, a clear bi or even tripartite approval process for any bank transfer or sharing of sensitive information with the outside world.
The rise of telecommuting makes cybersecurity even more complex
With the spread of telecommuting, many executives now work remotely. Some executives were probably hired during the Covid-19 pandemic or during a lockdown period and still know very little about their teams.
This context is highly conducive to whaling and should lead to new security measures. So, since the situation is bound to last, why not integrate the home network of senior executives into the IT management perimeter of the "traditional" company?
Indeed, for a few hundred euros, the home network - at least of the CEO and managers with sensitive activities such as the CFO - can be secured with a corporate firewall. When we know the amount of potential losses linked to whaling attacks, the question of an additional budget to extend security beyond the traditional perimeter must be necessarily raised.