Whaling is a 常见的网络攻击 that occurs when an attacker utilizes 鱼叉式网络钓鱼 methods to go after a large, 备受关注的目标, 比如高级管理人员.
Malicious actors know that executives and high-level employees (like public spokespersons) can be savvy to the usual roster of spam tactics; they may have received extensive 安全意识培训 因为他们的公众形象, and the security team may have more stringent policies and heftier tools in place to protect them. This leads attackers who try to phish these targets to look beyond the same old tried-and-true tactics to more sophisticated, 有针对性的方法.
Like all 钓鱼式攻击, a successful whaling attempt against a 备受关注的目标 still relies on compelling the target, 通常是在紧急情况的幌子下. Desired outcomes may include coercing the recipient to take an unwanted action and trigger a wire transfer, for example, or to click on a link or open an attachment that installs malware or sends the target to a malicious website impersonating one that's legitimate. 目标:捕获敏感信息, 像凭证, that give the attacker a master key to a company's intellectual property, 客户数据, or other information that could be lucrative if sold on black markets.
As a result of the increasing awareness around typical phishing tactics, adversaries are adjusting their approaches by narrowing the scope and tailoring their fraudulent messages with details to convince the email recipient of their veracity and compel them to act. This more focused approach to phishing is commonly called 鱼叉式网络钓鱼. When an attacker decides to spear phish a big, 备受关注的目标, that’s when it becomes whaling.
常见的捕鲸目标, 比如媒体发言人或c级高管, by nature have more information about them publicly available for attackers to gather and exploit. 因为他们的资历, they may also have greater internal data access than the average employee: More confidential information is available to them via their internal credentials, 在某些情况下, they might even have some level of administrative privilege. While the pool of potential targets for whaling at one organization might be quite small compared to the overall employee roster, 赌注要高得多.
在他们的核心, the common thread in examples of past successful whaling campaigns aren't too dissimilar from successful phishing campaigns: The messages are seemingly so urgent, so potentially disastrous that the recipient feels compelled to act quickly, 把正常的安全卫生习惯放在一边. Scammers writing successful whaling emails know their audience won't be compelled by just a deadline reminder or a stern email from a superior; instead, 他们会利用其他的恐惧, such as legal action or being the subject of reputational harm.
在捕鲸的一个例子中, a number of executives across industries fell for an attack laced with accurate details about them and their businesses, that purported to be from a United States District Court with a subpoena to appear before a grand jury in a civil case. 邮件中有传票的链接, and when recipients clicked the link to view it they were infected with malware instead.
For executives and other likely targets of whaling, the standard advice for 预防和保护网络钓鱼 still applies: beware of clicking links or attachments in emails, as 钓鱼式攻击 of any kind still require the victim to take action to be successful.
Organizations can harden their own defenses and educate potential whaling targets by implementing some whaling-specific best practices as well.
First, be cognizant of the kind of information public-facing employees are sharing about executives. Details that can be easily found online via sites like social media, from birthdays and hometowns to favorite hobbies or sports, 捕鲸邮件看起来更合法吗. Major public events can also lend whaling emails the guise of legitimacy. Remind executives or spokespersons that during these high-publicity times, 比如一个重要的行业会议或公司活动, 他们会以多种方式成为焦点, 尤其要小心他们的收件箱.
Next, foster an organizational email culture of "trust but verify." Encourage employees of all levels to verify the veracity of urgent, unexpected messages through another communication channel—like talking to the sender in person, or calling or texting them—and have executives and senior management lead by example.
最重要的是, 实施网络钓鱼意识培训计划, with content specifically targeted for senior management and public-facing employees about the whaling emails they could receive.
A multi-faceted phishing awareness program will not only teach key principles to prevent whaling attacks, but they'll safely allow employees to put those skills to the test. It's a good idea to run simulated whaling attacks from time to time to keep employee skills sharp at spotting potential phishing campaigns, 所有这些都在安全的培训工具环境中进行, 强调学习, 尤其是从失败中.