The Dangers of 'Whaling'
New ID Theft Scam Targets the Really Big Fish
Phishers are now setting their hooks on high-income individuals, and the term that information security researchers are using is “Whaling” -- or spear-phishing that really big fish.
How big are these trophy phish? Well, two New Jersey men were recently indicted for trying to steal more than $400,000 from the personal bank accounts of New York City’s Mayor Michael Bloomberg. Bloomberg has been estimated to be worth $5-to-20 billion.
A recent report from the Gartner group shows that if you earn more than $130,000, you receive 50% more spam. Losses for a normal income individual run $1,200 to $1,500 per occurrence. However losses for a person with income above $130,000 average $5,700 per occurrence.
Financial institutions need to be concerned with two things: protecting and educating the high-end customer, as well as their senior personnel -- CEO, president, board members, and other high level executives.
One point that financial institutions need to remember when it comes to phishing is to ask “What do people relate to? You have an airplane, and you trick the pilot that up is down, and down is up, that plane will crash,” says Dr. Markus Jakobsson, an information security expert whose research focuses on phishing. Same thing goes for the computer user who doesn’t know that they’re opening a phishing email, he says. Dr. Jakobsson also leads the anti-phishing efforts and research as Associate Professor at Indiana University’s School of Informatics and the Center of Applied Cybersecurity Research.
You’ll want to ask yourself, “Does my senior management know what a spear-phishing attack would look like? Would they know what to do?” In whaling, this type of phishing attack targets a single organization, or executive positions that exist across more than one institution, (think President, CIO, CFO, CEO). (Targeted Attack Discovered by Message Labs: Message Labs Release).
This whaling attack aims to steal information, passwords, account numbers, usually through installing malware (i.e., Trojans) that opens the user’s computer to allow keylogging. This focused spear phishing attack allows the phisher to aim the harpoon at the largest whale.A new twist Jakobsson warns of in addition to the traditional phishing emails from banks that may be focused to target the rich: the political emails asking voters to contribute toward a candidate’s campaign. Once they open the link to provider a credit card number, their account information is in the hands of a phisher. “Remember,” Jakobbson says, “any excuse will be used by phishers.”
(See Related Story: Anti Whaler's Guide )