Whaling attack: How to safeguard yourself from this CEO fraud?

While smartphones and computers keep us connected and informed, they also expose us to a constant barrage of phishing attacks.

With each passing year, cybercriminals are coming up with ingenious ways to lure and trap not just gullible people but can ensnare even the most tech-savvy person.

In this segment, we shed light on Whaling, a phishing technique, specifically used to target high-value targets.

What is a Whaling attack?

This method, also known as CEO fraud, is used to particularly prey on big honchos of the corporate industry, holding positions such as Chief Executive Officer (CEO), Chief Financial Officer (CFO) and other top C-level designations.

Cybercriminals usually use emails with genuine-looking company logos, with industry-related subject lines requiring urgent attention, as bait to lure the potential victim.

In the email body, the criminals carefully draft content with nice-looking typeface and language with good grammar, and professional jargon and share links to a benign-looking fraudulent website that has also been carefully designed to look legitimate.

Also, the cyber crooks go to great lengths to learn about the victim's close group including their subordinates, contacts from client companies and even loved ones.

They will try to make it look like the email is from colleagues/clients or friends and needs urgent attention.

These are some of the common scenarios that play out during whaling attacks:

--The criminals will ask the potential victim to go to a website. Once the victim enters the compromised webpage, it will push a malware-laced application to the targeted system. Then, cyber crooks take over the computer system to steal the financial details of the company or even worse, their patented trade secrets. They will ask for a ransom to return control over the online accounts and the computer or else threaten to sell the valuable information or rival companies for good money or to any highest bidder.

-- With professional-level email design and legitimate-like company logos, the bad actors will ask for urgent fund transfers to start a new division within the organisation or wire money to contractors working on one of the company's many projects.

The criminals will also try calling the potential victim whether he/she has received the formal letter. This kind of real-world interaction makes the victim complacent. Before they could realise the folly, the fraudsters would have transferred money to several mule accounts. This will make it difficult for police agencies to trace the money trail and pinpoint the criminal's original bank account.

Here are tips on how to identify and safeguard yourself from Whaling phishing scams:

1) Whenever you receive an email with the website's URL link, do not instantly click on it. Read it thoroughly. Also, read the full email address of the sender. You just have to hover the cursor over a name in an email to reveal its full address. Then, you can know if the person is genuine or not. Most criminals use different usernames than what is used in email addresses.

2) Top C-level executives should exercise caution while sharing details such as birth dates, holiday pictures, locations on social media platforms such as Facebook, Instagram, LinkedIn, X (formerly Twitter). Such information can be used by bad actors to hack online accounts or try to craft other forms of cyber attacks, notes Kaspersky, a reliable internet security firm.

3) Ensure the company has a well-equipped firewall system in place to block spam, and suspicious emails sent from outside the organisation

4) The IT department should also invest in good anti-phishing application software and install it on all computers of the organisation

5) The IT department should also conduct special classes for employees of the company regularly and educate them about the latest phishing techniques and how to avoid falling prey to such cyber fraud.

6) Ensure multi-factor authentication is enabled for important tasks such as wiring big amounts to contractors or team leads of the company. Or when sharing sensitive project details with subordinates. Multi-layered security ensures, there is a time gap between steps and during this time, one (if attentive enough) can realise if the person receiving money/ sensitive office details is genuine or not.

7) The IT department of the company should keep constant vigil on employees and ensure they don't install any un-approved applications on offical computers

8) And, the IT department should regularly perform audit of the computer networks within the organisation to pick up any suspicious activities.

Get the latest news on new launches, gadget reviews, apps, cybersecurity, and more on personal technology only on DH Tech.