Let's talk Whaling

Hi there!

I am here again. Hope you’re doing well??

In my last letter, we began a series on the different types of phishing, and I shed light on a type of phishing called Spear Phishing. If you missed that letter, click here to read up. As promised, the series continues and this time I will explain the concept of Whaling; what to look out for and the best ways to avoid it. Are you ready?

A whaling attack is a method used by cybercriminals to masquerade or act as a senior executive at an organization and directly target senior or other important individuals at that organization, with the aim of stealing money, sensitive information, or gaining access to their computer systems for criminal purposes. Popularly known as “CEO Fraud”, the objective of this phishing attack is to trick a target (big fish) into performing specific actions, such as revealing sensitive data or transferring money.

Whaling attacks are made more believable because cybercriminals use information gathered from openly available resources such as social media to craft a bespoke approach that's tailored for those target individuals.

Whaling does not require extensive technical knowledge yet can deliver huge returns. As such, it is one of the biggest risks facing businesses. Financial institutions and payment services are the most targeted organisations; however, cloud storage and file hosting sites, online services and e-commerce sites are receiving a larger share of attacks. They are basically targeting the top individuals at organizations and businesses. Here is a typical example of a Whaling attempt.

Mind-boggling yeah. Don’t worry, I’ve got you. Here are some tips to help you avoid being a victim of a Whaling attack

• Be aware and control information – Be aware of the information public-facing employees are sharing about company executives. Also, all employees should be trained to take special care when posting and sharing information online and on social media.
• Education – Educate yourself, employees, and executives on these types of attacks. Having knowledge about these things is very important.
• 2 Factor Authentication – Ensure to set this up to avoid your organization’s email from being compromised.
• Flag unrecognizable emails outside your network - If the mail or email address is not familiar, it is advisable to flag it to the necessary department or be regarded as spam.
• Establish a verification process – Setup a process for transferring funds, such as face-to-face verification or verification over the phone. When using email for requesting wire transfers, teach employees to scrutinize domain names.
• Filter emails - Utilize an email filtering system for inbound emails that flags emails sent from similar-looking domain names. Use mock whaling attacks against employees to teach them how easy it is to be tricked.
• Look closely: Watch out for wrongly spelt domain names or senders’ names. Cybercriminals often play around with them in a way that easily deceives the eyes at first glance.

Note: Cybercriminals always come up with new and innovative ways to get access to your personal data. So, I definitely can’t show you everything. If you feel you might have fallen victim to a whaling attack, it is important to contact your IT and report the issue.

Side Gists

We are having our first mentor session this week for our DigiGirls 2.0 cohort. I personally don’t joke about the importance of mentors in our processes. If you are interested in having any of our alumni intern at your organization upon completion of their training, please send an email to [email protected] stating your interest.

The May Edition of CyberGirl’s open day is this week and we are having 2 important professionals speak to our fellows. Promises to be mind-blowing and insightful for our ladies.

Our CyberGirls in Kenya are doing so wonderfully well and our director had the opportunity to interact with them over the past few weeks. Special shout out to Joylynn, the number one reason CyberGirls is in Kenya. More to come, guys!

?

Woohoo! The World Bank hosted her first cybersecurity seminar with a gender lens. The event which was themed “Women and Cybersecurity: Creating a More Inclusive Cyberspace” was loaded with industry leaders from across the globe, our very own Confidence Staveley being one of them. The conversations were steered towards finding solutions to the gender parity in cybersecurity and the challenges faced by women currently occupying cybersecurity roles.

It was fun writing to you as always. Look out for my next letter where I would be telling you about another type of phishing called “Angler Phishing”.

Till then, stay well and remain cyber safe! ??

Yours truly,

Bolatito