Phishing scams have been around for years and malicious emails haven’t changed a lot, but the end target has. As surfers and skiers say, “go big or go home,” and that’s exactly what scammers are doing.
By targeting lower-level employees, scammers are able to gain general access to a business’s inner workings. But by targeting high-level executives – the “big fish” – scammers can gain complete top-down access to all of a business’s operations.
These attacks on management are sometimes called whaling, in reference to the “big fish” targets. The goal is to steal sensitive information such as financial data or personal details about employees. Whaling attacks specifically target senior management who have complete access to sensitive data.
A related scam is the CEO impersonation scam, where the con artist reaches out to high-level employees who can pay a large bill or provide wide-sweeping information. The scammer pretends to be the CEO or CFO to give the request legitimacy and urgency. The request will often be for a large money transfer via wire, which is nonrecoverable. Scammers can often make their requests more plausible by using details gotten by researching the company or hacking emails.
The Better Business Bureau offers the following tips to prevent and prepare for potential whaling attacks:
Be wary of short, generic messages. Scammers won’t write a long email; they’ll try to pass off something short and generic as harmless, hoping you’ll click quickly without thinking.
• Double check before clicking or downloading. A mouse click is all it takes to inadvertently grant access to your computer, accounts and information, or unleash malware on your systems.
• Think about how you share. Never send sensitive, personal, or proprietary information via email regardless of who’s asking you for it.
• Watch out for emails to groups. Sending an email “from the CEO” to a staff or employee email list is the fastest way for a scammer to attack and affect an entire business.
• Set up processes. Make sure your company has a procedure for all requests involving sensitive information or payments, and make sure that procedure is followed. For particularly wide-reaching requests or large payments, require employees to check with their manager first.
If you get a call from a scammer, report it to the BBB Scam Tracker (bbb.org/scamtracker). This free resource provides a place to research and submit scam-related information so the BBB can investigate further and educate consumers.