Be Aware of “Whaling”

What is “whaling?” Whaling is a clever type of phishing scam that typically involves a hacker pretending to be a senior executive. The perpetrators will usually ask the intended victim to take some action, such as moving money, making a payment, or transferring documents containing personally identifiable information.

Whaling attacks are a form of corrupt business email known as “CEO fraud.” According to the FBI, losses from whaling have totaled more than $2.3 billion in just the last three years. This type of scam has increased by 270 percent since January 2015.

Whaling exploits relationships between employees. Unlike typical phishing scams where the attack includes malicious code or an attachment sent to a broad audience, whaling is directed at high-ranking executives using familiar-sounding names and email addresses.

The perpetrators gain access to an executive’s email inbox or email employees from a fake domain name that appears similar to the legitimate one.

The language and phrasing of the email request are designed to sound realistic. A spam filter will not be effective against this type of attack since the content is written by a real human and there are no links or attachments. You must closely inspect the header of your email messages.

To avoid whaling scams, be on guard for the examples at left, and do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information they requested.

Please let IT know if this information was helpful and what other information security topics you would like to learn more about.

You can reach IT at: infosecrisk@nycha.nyc.gov or 212-306-8006.

Examples of Whaling

• Zero (0) used as the letter O: NEW Y0RK CITY H0USING AUTH0RITY vs. NEW YORK CITY HOUSING AUTHORITY

• .org used instead of .gov: nycha.nyc.org vs. nycha.nyc.gov

• Executive name written using zero (0) for the letter O: B0B MARAN0 vs. BOB MARANO