Beware of Whaling Attacks: Understanding CEO Impersonation in Security Exams

The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the company's Chief Executive Officer (CEO), requesting a transfer of $10,000 to an account.

The email states Ann is on vacation and has lost her purse, containing cash and credit cards.

Which of the following social-engineering techniques is the attacker using?

A.

Phishing

B.

Whaling

C.

Typo squatting

D.

Pharming.

B.

The social engineering technique being used in this scenario is called "whaling". Whaling is a specific type of phishing attack that targets high-profile individuals within an organization, such as executives or senior managers, in an attempt to trick them into divulging sensitive information or performing a fraudulent financial transaction.

In this case, the attacker has impersonated the CEO of the insurance company in an email sent to the CFO, requesting a transfer of $10,000 to an account. The attacker has used a plausible story of the CEO being on vacation and losing her purse, which can create a sense of urgency and pressure the CFO into acting quickly without proper verification.

The objective of the whaling attack is to exploit the trust and authority associated with high-profile individuals to bypass security controls and gain access to sensitive information or financial resources. These attacks can be conducted through various means, including email, social media, or phone calls.

It is important for organizations to implement security awareness training programs and establish protocols for verifying financial transactions or sensitive information requests, especially when they involve high-profile individuals. By following proper procedures and being vigilant against social engineering tactics, organizations can better protect themselves from whaling attacks and other types of cyber threats.