By EuroXlive

The Interbank Information Security Forum of the Chamber of Banks and Financial Institutions of Costa Rica alerts managers and senior executives of a new attack called whaling.

A whaling attack is a variant of phishing. In this sense, it is of fundamental importance to know what are their differences with respect to phishing, how to identify them and most importantly, how to protect the organization from these types of attacks.

“What distinguishes this modality from others is that it is aimed at people who occupy high-ranking positions in a company or organization, mainly from technology companies that offer cutting-edge services, financial institutions and organizations that are dedicated to processing payments. These are part of the main target of this cyber threat; for example: the directors, presidents and managers of companies ”commented Annabelle Ortega, Executive Director of the Chamber of Banks and Financial Institutions.

This variant turns out to be very effective because it is carried out by means of Social engineering, whose purpose is to convince people to carry out an action that involves the use of their personal data, such as sharing access data to a specific account or making an "emergency" bank transfer.

The Interbank Information Security Forum indicated that cybercriminals use the following strategies:

Receive an email after a call: the cybercriminal communicates with the victim, asks questions that make it possible for them to enter into trust, and then manipulate the victim. Also, it can be expressed in such a way that it can transmit a sense of urgency so that as soon as possible it confirms the data; in this case, email. This is one of the simplest but most effective methods

A frequently occurring scenario is that those who attack pose as the victim's trusted providers or contacts. To achieve this, before carrying out the deception, the cybercriminal can access the victim's data such as their email contacts. In this way, it is easier to be able to “disguise” yourself from someone the victim would trust.

Another scenario can be an email message that serves as a bridge to carry out Whaling disguises itself as one of the many messages that a boss, manager or director receives on a daily basis. Reports, balance sheets and even personal and corporate banking transactions. Here is the importance of security awareness of these people with high positions.

Another situation that arises is that the victim will trust email messages so much that they will not even carry out one of the key phishing prevention practices: verify email addresses. Thus, because of the rush or other type of situation, the victim does not take the time to check the email addresses or if the person who was contacting him was really who he claimed to be.

Additionally, social network profiles also provide a lot of information to carry out Whaling. Professional social media accounts can provide a lot of information regarding the victim's network of contacts.

"That is why it is of utmost importance that the senior executives of organizations and companies have great caution and security awareness of the activities they carry out online," said Ortega.