Dealing with a Cyberattack? Access Expert Help Here >

May 20, 2020

Spear Phishing & Whaling: What You Need to Know to Avoid Getting Caught

Edward Maurer
Director of Security

You started a company and call yourself the CEO or founder. Now what? Naturally you’ll announce your position on your company website, in corporation filings, LinkedIn, blog, Twitter, etc. Unfortunately, along with your professional and personal networks, this information is now available to malicious actors. Once they know who you are, they will use that information to their advantage, often using techniques called spear phishing or whaling. Spear phishing is a directed attack toward specific individuals to get them to reveal confidential company or personal information. Usually involving financial gain. Whaling is similar to spear phishing but targets high-level individuals within the organization such as CEOs or founders.

Spear phishing or whaling attacks begin by gathering information about a company and its organizational structure from publicly accessible websites. Attackers use this information to send convincing emails appearing to come from trusted sources such as Microsoft or LinkedIn, or people you know (co-workers or members of your board), asking for confidential company, customer or employee information they can leverage for financial gain.

What can you do to protect yourself and your company from spear phishing and whaling attacks? Here are a few tips to help guide you through the risks.

How to Avoid the Spear

As a CEO (your company’s biggest whale) you should never click links in emails, EVER.

Email spoofing is one of the most reliable methods for an attacker to gain credentials. This happens simply by clicking on a link that looks correct, but has an embedded link that redirects to an insecure website asking for sensitive information. Below are a few best practices to follow to avoid getting caught:

  • If you must click a link, hover over it and look at the bottom left corner of your browser to see exactly where it goes. Compare the link URL to the actual destination. They must match. If there is any question at all, do not click it. Instead go directly to the legitimate website and proceed from there.
  • Keep your web browser, operating system, and other software up to date.
  • Enable two factor authentication (2FA) on your email account. This is a must. SMS or text based authentication is not a secure method of two factor authentication. Utilize a third-party one time passcode (OTP) generator instead.

Don’t post your actual location on social media when traveling

Be very careful of posting your whereabouts on social media. An attacker will use that kind of specific information to make an email seem legitimate.

Imagine a scenario where the CEO tweets they’re attending a conference in a different state. An attacker, posing as you, could use that information to send an email to the CFO or others on the finance team asking for a wire transfer to help pay for something at the conference. See how easy it is?

Understandably, you can’t always keep your whereabouts a mystery, especially if you are speaking at a public event. So if you do need to promote your company’s presence at an event or conference, a better solution is to have your marketing team post to corporate social media accounts.

Whether you’re traveling or not, it’s always good to be on the lookout for these tell tale signs of phishing emails:

  • A sense of urgency. If someone is asking you to act right away, there is a very good chance it’s a fraudulent exercise. A sense of urgency causes people to ignore their intuition and act in ways that they normally would not.
  • Secrecy. “Don’t tell accounting about this because I don’t want to go through all of their red tape.” Sound familiar? Telling others may raise suspicion of what the attacker is attempting to do.
  • Going against standard procedure. Processes and procedures are there to protect us from these very things. Financial transactions should have a second method of verification such as a phone call or separate message confirming the information.
  • The sender’s email address does not match expectations. Review the sender email address and the reply-to email address for clues on whether or not it’s from a legitimate source.
  • Asking for financial information. Emails from someone asking for financial information or details are a sure sign of spear phishing.
  • Trust your instincts. If it doesn’t feel quite right, it probably isn’t. You’ll never regret taking extra precautions to make sure it’s safe to proceed.

Your Email may have already been compromised

Malicious actors may have gained access to your inbox months ago but are laying low, waiting for you to head out of town or for payroll information to come through so they can get the biggest bang for their buck.

If you think this has happened, what should you do about it?

  • Change your email password. Do it immediately.
  • Use strong unique passwords. Make sure your email password does not match a password you use anywhere else, on any other website or system.
  • Enable two factor authentication on your inbox. This extra layer of security will help keep malicious actors out of your email.
  • Use a password manager. Password managers allow you to create and store strong unique passwords for every website or platform you access, keeping them safe from attackers.
  • If you can, use a Chromebook. Chromebooks are much less prone to viruses than other devices. They also have the added benefit of updating automatically.

No one is immune to phishing, and attackers know it. And with spear phishing and whaling, their efforts can pay off greatly. While these preventative measures seem like simple common sense, they are effective. And when things get busy, and you have hundreds of unread emails to get through, it’s easy to forget. Our best advice, whether you’re the CEO or a summer intern, think before you click, and always trust your gut. If something seems off, it probably is -- and those few extra minutes could help save your company from a real disaster.

We’re here to help! If you have any questions about cybersecurity for your business contact our free helpline:

If you’d like to learn more about Marzo4, our new all-in-one cybersecurity platform for small business, request a demo today: