The Dangers of 'Whaling'

The Dangers of 'Whaling'

New ID Theft Scam Targets the Really Big Fish

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Phishers are now setting their hooks on high-income individuals, and the term that information security researchers are using is “Whaling” -- or spear-phishing that really big fish.

How big are these trophy phish? Well, two New Jersey men were recently indicted for trying to steal more than $400,000 from the personal bank accounts of New York City’s Mayor Michael Bloomberg. Bloomberg has been estimated to be worth $5-to-20 billion.

A recent report from the Gartner group shows that if you earn more than $130,000, you receive 50% more spam. Losses for a normal income individual run $1,200 to $1,500 per occurrence. However losses for a person with income above $130,000 average $5,700 per occurrence.

Financial institutions need to be concerned with two things: protecting and educating the high-end customer, as well as their senior personnel -- CEO, president, board members, and other high level executives.

One point that financial institutions need to remember when it comes to phishing is to ask “What do people relate to? You have an airplane, and you trick the pilot that up is down, and down is up, that plane will crash,” says Dr. Markus Jakobsson, an information security expert whose research focuses on phishing. Same thing goes for the computer user who doesn’t know that they’re opening a phishing email, he says. Dr. Jakobsson also leads the anti-phishing efforts and research as Associate Professor at Indiana University’s School of Informatics and the Center of Applied Cybersecurity Research.

You’ll want to ask yourself, “Does my senior management know what a spear-phishing attack would look like? Would they know what to do?” In whaling, this type of phishing attack targets a single organization, or executive positions that exist across more than one institution, (think President, CIO, CFO, CEO). (Targeted Attack Discovered by Message Labs: Message Labs Release).

This whaling attack aims to steal information, passwords, account numbers, usually through installing malware (i.e., Trojans) that opens the user’s computer to allow keylogging. This focused spear phishing attack allows the phisher to aim the harpoon at the largest whale.

A new twist Jakobsson warns of in addition to the traditional phishing emails from banks that may be focused to target the rich: the political emails asking voters to contribute toward a candidate’s campaign. Once they open the link to provider a credit card number, their account information is in the hands of a phisher. “Remember,” Jakobbson says, “any excuse will be used by phishers.”

(See Related Story: Anti Whaler's Guide )


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network