Best practices to prevent successful whaling attacks
- Check carefully for spoofed email addresses or names. Make sure that the sender’s email address perfectly matches the company name and format.
- Be aware of what to click on. Stop and think before responding to any email receive.
- Review all URLs receive via email in web browser. By determining whether anything looks suspicious, can greatly decrease chances of being attacked.
- Prioritize effective security awareness training.
- Review existing processes, procedures and separation of duties for financial transfers and other important transactions such as sending sensitive data in bulk to outside entities.
- Consider new policies related to “out of band” transactions or urgent executive requests.
- Review, refine and test incident management and phish reporting systems.
- Be wary of any communication that is exclusively e-mail based and establish a secondary means of communication for verification purposes.
- Be mindful of phone conversations. Whaling victims have reported receiving phone calls from threat actors requesting personal information for verification purposes.
- Executives should take special care when sharing information online or on social media sites like Facebook, Twitter and LinkedIn. Details such as birthdays, hobbies, holidays, job titles, promotions and relationships can all be used by threat actors to craft more sophisticated campaigns.