What Type Of Social Engineering Targets Senior Officials?
Social engineering is a type of scam that uses technology, often emails, to gain the trust of victims, and con them into sending sensitive data or money to the bad actors. Senior officials of organisations are often the target of social engineering scams because of the likelihood they have more access to more money and resources than junior employees.
The main type of social engineering scam that targets senior officials are known as Whale Phishing or Whaling. In this article we’ll explain whaling in more detail and give some advice on how to protect senior officials from this and other types of scams.
Before we continue though, although whaling is a type of phishing scam that target senior employees, they are also the targets for other types of scams and cyberattacks.
Ransomware targets senior employees because they are likely to have access to more sensitive data. The easier the data is to access, the quicker the cyber criminals can steal it. They can often be able to make large financial payments. Sometimes ransomware will be installed as part of a whaling attack, making it even more catastrophic.
Even simple phishing attacks are still aimed at senior officials in organisations. It is assumed they are very busy and won’t make time to carefully re-read or check emails for scams. This means it’s important to be vigilant for all kinds of phishing attacks, not just whaling.
What are Whaling Phishing Attacks?
Whaling attacks are a type of phishing that are aimed at the senior officials of an organisation like the CEO, CFO or Directors. Each organisation has different hierarchies so the highest-level employees may be one person, or many, but the more responsibility they have, the more ideal a target they are.
The aim of a whaling social engineering scam is to trick a CEO, or similar senior official, into transferring money or personal data into a compromised account, usually by posing as a colleague or client.
As part of a whaling attack, the bad actors may use smaller phishing scams and cyber attacks to gain valuable information or infiltrate the emails of employees at a lower level, or real clients, to make their scam as convincing as possible. Using a legitimate email address can yield high rewards.
They may also pose as the CEO themselves and use their email address to convince other employees to transfer sensitive data or funds away from the business. Impersonating someone else within the business with emails is also known as Business Email Compromise. Both whaling and BEC are social engineering scams designed to manipulate employees at different levels, with the main targets being senior members of staff. Whilst Whaling is specifically targeting senior employees, anyone in the business can become a victim of BEC.
Protecting senior officials from social engineering scams
There are several ways to prevent social engineering scams and phishing attacks on senior officials from being successful. The most important, and most overlooked, is training on how to spot the scams in the first place.
It’s important for every person in the organisation to be aware of fraud and engineering scams and the management team or board of directors are no different. Regular training sessions to educate all senior staff to recognise the red flags of a sophisticated whaling attack is essential.
This training goes above and beyond checking for bad spelling and grammar, and educates on more complex preventive measures, such as how to check whether a URL is safe to open and when to call a client to check for confirmation.
Educating all staff on cybercrime is essential, however it’s also important to include a strong cybersecurity strategy that focuses on technology too. These can include:
- Firewalls
- Access control
- Updates (also known as patches)
- Multi-factor authentication
- Network segregation
- Backup and disaster recovery services
- Email security
- Download restrictions
- VPNs
- Password managers
The options for cybersecurity technology are extensive and can be tailored to the size, scale, and budget of an organisation, to ensure maximum, appropriate protection. Learn more about cybersecurity terminology in our glossary.
Educating senior staff and implementing cybersecurity solutions across all aspects of the business, is the most secure and helpful approach to reducing social engineering attacks on senior officials.