3aIT Blog

We've recently noticed an increase in a particular type of spam referred to as "whaling". This is especially relevant to any high level employees / financial employees in a business, as this trick targets them specifically as the "big fish" (hence "whaling").

The aim of this type of "phishing" spam is the same as usual - to try and trick people to send over sensitive info or money. However, rather than the usual "hit and hope" approach that many of these emails take, the senders of these emails will use a couple of tricks to make these emails far more targeted.

Firstly, they will either register a domain that's very close to the domain owned by the business, or will "spoof" a real email address from the business (spoofing means that someone has set their from address to a domain they don't own to make it appear as that's where the email has come from).

Secondly, they will couple this with knowledge of the business and will ensure that the request comes "from" an appropriate member of staff, and is addressed to someone that will be able to deal with it.

The emails we've seen have been created as though it is been sent from the CEO to the finance department asking for a wire transfer to be made to a specific account.

Here's the most recent example we're seen:

"From: CEO (Correct "Spoofed" email address)
Date: 20 November 2015 at 08:08:23 GMT
To: Someone with access to company funds
Subject: Request for November 20, 2015
Reply-To: CEO <This email address is being protected from spambots. You need JavaScript enabled to view it.> (Note, this reply-to isn't the company's address)

Morning (Staff member's name),

I will need you to make a payment today, could you tell me the information you need to carry out a payment within the UK?

(CEO's name)

Sent from my iPhone"

While this is not the only form these emails can take, the content will always be asking for money or details or for you to visit a (disguised) malicious website. As you can imagine, due to the fact that the sender seems to be a colleague (and may even use your name in the email along with various other facts they've learnt about the sender such as including their phone number in the footer), this is a tricky one to combat.

However, you just need to ask yourself the same questions as you should for any email you receive. Am I expecting this? Do all the details check out? Does it follow the usual process for your company?

Another very good check is to consider whether it reads like an email sent by the person that it's purporting to be from. While you can spoof an email address and to find out someone's phone number, it's a lot harder (although not impossible) to copy their writing style.

If you're in any doubt at all, open a new email to the sender (don't reply to the one you received) and ask if they sent it.