Learn what whaling phishing attacks are, who they target, how they differ from other phishing attacks.
2023 Mid-Year Threat ReportWhaling is a common cyber attack 当攻击者利用鱼叉式网络钓鱼方法追踪大型, high-profile target, such as c-suite executives.
Malicious actors know that executives and high-level employees (like public spokespersons) can be savvy to the usual roster of spam tactics; they may have received extensive security awareness training because of their public profile, 安全团队可能有更严格的政策和更强大的工具来保护他们. 这导致试图对这些目标进行网络钓鱼的攻击者将目光投向更复杂的策略, targeted methods.
Like all phishing attacks, 一个成功的捕鲸目标仍然依赖于强迫目标, usually under the guise of some urgency. 期望的结果可能包括强迫接收方采取不必要的操作并触发电汇, for example, 或者点击链接或打开安装恶意软件的附件,或将目标发送到假冒合法网站的恶意网站. The goal: capture sensitive information, like credentials, 这给了攻击者一把掌握公司知识产权的万能钥匙, customer data, 或者其他信息,如果在黑市上出售,可能会有利可图.
由于对典型网络钓鱼策略的认识不断提高, 攻击者正在调整他们的方法,通过缩小范围和修改他们的欺诈信息的细节来说服电子邮件接收者他们的真实性并迫使他们采取行动. 这种更集中的网络钓鱼方法通常被称为 spear phishing. 当攻击者决定用鱼叉钓一个大而引人注目的目标时,这就变成了捕鲸.
Common whaling targets, like media spokespersons or C-level executives, 从本质上讲,有更多关于它们的ladbrokes立博中文版可供攻击者收集和利用. Due to their seniority, 他们也可能比普通员工拥有更多的内部数据访问权限:通过他们的内部凭证,他们可以获得更多的机密信息, and in some cases, 他们甚至可能有一定程度的行政特权. 虽然一个组织的潜在捕鲸目标池与整个员工名册相比可能相当小, the stakes are much higher.
At their core, 过去成功的捕鲸活动与成功的网络钓鱼活动的共同点并没有太大的不同:这些信息似乎都很紧急, 如此潜在的灾难性,以至于接受者感到必须迅速采取行动, putting normal security hygiene practices by the wayside. Scammers writing successful whaling emails know their audience won't be compelled by just a deadline reminder or a stern email from a superior; instead, they’ll prey upon other fears, 例如法律诉讼或成为名誉损害的对象.
In one example of a whaling attempt, 各行各业的许多高管都遭到了攻击,其中包含了有关他们及其业务的准确细节, 据称是美国地方法院发来的传票,要在一起民事案件的大陪审团面前出庭. The email included a link to the subpoena, 当收件人点击链接查看邮件时,他们反而感染了恶意软件.
对于高管和其他可能的捕鲸目标,标准的建议是 prevention and protection from phishing 仍然适用:小心点击电子邮件中的链接或附件, 因为任何类型的网络钓鱼攻击仍然需要受害者采取行动才能成功.
组织可以加强自己的防御,并通过实施一些特定的捕鲸最佳实践来教育潜在的捕鲸目标.
首先,要认识到面向公众的员工会分享哪些关于高管的信息. 这些细节可以很容易地通过社交媒体等网站在网上找到, 从生日和家乡到最喜欢的爱好或运动, can help whaling emails seem more legitimate. 重大的公共事件也可以给捕鲸邮件披上合法的外衣. 提醒高管或发言人,在这些高度曝光的时期, such as a major industry conference or company event, they'll be in a spotlight in more ways than one, and to be especially wary of their inbox.
其次,培养一种“信任但要核实”的组织电子邮件文化.鼓励各级员工紧急核实真实性, 意想不到的消息通过另一个通信渠道——比如亲自与发送者交谈, 或者给他们打电话或发短信——让高管和高级管理人员以身作则.
Most importantly, implement a phishing awareness training program, 专门针对高级管理人员和面向公众的员工,介绍他们可能收到的捕鲸邮件.
一个多方面的网络钓鱼意识项目不仅会教授防止捕鲸袭击的关键原则, 但他们会安全地让员工测试这些技能. 时不时地模拟捕鲸攻击是个好主意,可以让员工保持敏锐的技能,发现潜在的网络钓鱼活动, all within the safety of a training tool environment, with an emphasis on learning, especially from failures.