Well-known social media outlet and millennial favorite photo-sharing app Snapchat has recently fallen victim to a ‘whaling attack.’ These attacks, which consist of an offender conning a senior or high-level employee for personal information within the company, have become increasingly popular in recent years according to email security company Mimecast, and look to increase in 2016. The employee who fell for this phishing scheme provided the offender with information relating to benefits, wages, stock-options, names, Social Security numbers and W-2 forms. Last Sunday, Snapchat released an apology letter and is offering two years of free identity-theft insurance and monitoring, according to the company.
The struggle with whaling attacks is that they bypass all other security measures such as anti-virus software or even more advanced tools because the attack relies solely on deceiving the victim. The perpetrator impersonates a high-level employee, typically the CEO or CFO, and targets senior staff within the company instead of clients or employees lower on the company ladder. The result is a low-risk/high-reward attack that is typically very difficult to trace. If successful, the attack can result in the stolen information of a key employee within the organization or in some cases, such as the one with Snapchat, where the attacker poses as a C-level employee requesting a deposit into an account that will quickly disappear after the money has been wired. The attackers use several tricks so as to not arouse suspicion, such as informing the employee that their boss is traveling or in an important meeting and cannot accept phone calls, and often put pressure on the employee to act quickly so as to force a rushed decision. To avoid these attacks, implement a system beforehand with regards to information-sharing or money transfers within the company and always verify identities even if it is inconvenient to do so.