Whaling Email

Mimecast solutions for stopping a whaling email scam

Mimecast provides cloud security services for combating whaling email scams and protecting your organization against a wide range of other threats. Mimecast's all-in-one, subscription service also provides tools for email archiving, continuity, backup and recovery, e-Discovery and compliance, enabling your IT administrators to conduct comprehensive business email management from a single pane of glass using a web-based interface.

To stop a whaling email attempt, Mimecast scans all inbound email for key indicators that suggest a message may be suspicious. These include:

• The email's display name and domain name – Mimecast looks for domain similarity and examines the recency of domains to identify digital domain spoofing.
• The email's reply-to information – whaling email attacks often use a different reply address than the address of the purported sender.
• The email's content – Mimecast looks for certain words and phrases like "wire transfer", "bank transfer" or "W-2" that are often part of a whaling email.

When an email is deemed suspicious, Mimecast can block, quarantine or tag the message to ensure employees are not tricked into making fraudulent wire transfers or sharing sensitive data.

FAQs: Whaling Email

What is a whaling email?

A whaling email is part of a whaling attack, which is a form of phishing that targets high-ranking executives or others with powerful job titles and positions. A whaling email is created to look and read as if it was sent from a legitimate source, usually someone the recipient knows and trusts. The purpose of a whaling email is to trick the recipient into revealing sensitive information that attackers can use to steal data, or to authorize a wire transfer of funds to a fraudulent account.

How does whaling email work?

To create a whaling email, attackers will research a targeted individual, usually collecting personal information from online profiles and social media accounts. The design of a whaling email will look identical to an email from a legitimate business, making it very difficult to spot the fraud. The content of a whaling email may ask the recipient to send a wire transfer right away, to email sensitive data like tax information or payroll files to a spoofed email address, or to visit a spoofed website where the target is asked to enter sensitive information like passwords or bank account numbers. Visiting such a website may also enable attackers to download malware to the victim’s computer.

How to recognize a whaling email?

A whaling email is much more difficult to spot than a regular phishing attack. Because the stakes are larger, attackers will spend considerably more time to make a whaling email or a whaling website look professional and to read as if it was sent by another high-level executive. There are several things that all users should watch for, though, that can help them to recognize a whaling email.

• Any request for a transfer of funds or for sensitive information should be viewed skeptically and should be a cause for further investigation.
• Often, a whaling email will have an urgent or a slightly threatening tone that’s intended to encourage the recipient to act quickly and without taking time to confer with others or double-check information.
• The sender’s email address in a whaling email may be slightly altered from the domain name of a legitimate or trusted company. For example, an email from “name@acme.com” may be substituted with “name@acrne.com”, where the “m” in the original domain is replaced with a “rn” that is difficult for a casual observer to spot.

How to stop whaling email?

Preventing a whaling email attack is best accomplished with a combination of technologies in education.

• Security awareness training is critical to spotting a whaling email. By educating them about what a whaling email might look like or what it might instruct them to do, users are better equipped to maintain a skeptical attitude toward all potential attacks.
• DNS authentication services can determine whether an email was sent from a legitimate or fraudulent domain by using DMARC, DKIM and SPF protocols.
• Anti-impersonation software can scan the header and content of email to spot the signs of a malware-less whaling email that uses social engineering-based techniques.
• Email scanning and filtering technology that scours the links and attachments of all inbound email can prevent users from opening an attachment or clicking on a link that may be part of a whaling email
• Superior anti-malware and anti-spam programs can help to stop some whaling emails at the email gateway.

Where should I report whaling email?

If you suspect you have received a whaling email – or if you have succumbed to a whaling attack – you should immediately report it to:

• Your company and your IT department, enabling them to quickly limit any damage.
• The person that the email was impersonating.
• Government agencies that are dedicated to stopping this type of cybercrime such as the Cybersecurity and Infrastructure Security Agency (phishing-report@us-cert.gov), the Federal Trade Commission (ftc.gov/complaint) and the Anti-Phishing Working Group (www.antiphishing.org/report-phishing).