3 December 2016

Whaling is a type of cyber fraud that targets mainly corporate executives. It is very closely related with phishing, thus not new. For a superb collection of examples see this slide show published on CIO.com.

As always, the combination of People, Process and Technology measures (PPT approach) is the best way to combat whaling:

People. The most effective way to deal with whaling is security awareness training. Include some whaling attacks in your anti-phishing training to raise awareness.

Processes. Enhance your information handling policy (IHP) or office manual. Add rules for the compliant handling of business requests by email:

1. Users should never act on a business request from a company executive if the email is not signed with a company owned and valid email certificate.
2. Never trust an email of a business partner when it is not signed with the partners valid email certificate.

Communicate the IHP to all users and train them in use and handling of email certificates.

Technology. Configure your email system such that all mails to external partners and at least all emails from company executives are signed with a valid email certificate.

With this, the risk of getting the victim of a whaling attack is greatly reduced.

Have a good weekend.