Watch Out for Whaling: Phishing Targeting Leaders
“Whaling” is a sophisticated form of phishing that targets an organization's top leaders. It uses clever social engineering and generative artificial intelligence to look like it’s from people you know and trust -- the president, provost, vice provosts, vice presidents, or deans.
Cornell's leaders are just as likely to receive this kind of fraudulent email as be the alleged sender of one.
A whaling phish can be hard to spot because …
- Is well-written
- Seems to know you, your work, and your organization structure
- Appears to come from someone you would expect to contact you or from someone higher up in the hierarchy
- Makes reasonable requests (review this, confirm that, answer a question)
- Sometimes makes urgent requests, but with a plausible, credible explanation
- Can use phone or email or both
- Can be persistent with follow-ups from multiple senders
These steps can help you guard against whaling and other kinds of phishes:
- Leaders: talk with your staff about phishing and how to verify requests. At minimum, everyone should be suspicious of any requests coming from a non-Cornell email account or phone number.
- Double-check any requests involving financial transactions or high-risk matters by another means. For example, if it came in by email, verify via text, chat, or phone call. At minimum, do not simply hit reply.
- Use Cornell’s Outlook service to check your email. It automatically checks links and attachments and blocks any that are known to be malicious. If you use another email service (for example, for personal mail), be extremely cautious with links and attachments.
- Verify that the message is coming from the person's real email address. In Outlook, you need to hover over the name to see the email address.
- Require NetID login to access all procedures or approval workflows. If this information is publicly accessible, whalers will use it to make their scams look authentic.
- Consider your social media presence as a rich source of information that may be used in attacks. For example, if you share travel or conference stories, wait till you’re back in the office so your colleagues can easily recognize a scam that purports urgent cash transfers.
- Some phishes targeting Cornell are listed at the IT@Cornell Phish Bowl.
- Some trusted emails from departments are listed at Verified Cornell Communications.
- Report suspected phishes to the IT Security Office. Be sure to include the entire text of the message and email headers.