What Is Whaling?
Whaling is phishing taken to the next level. While phishing messages are usually moderately customized for each user and organization, they are still bulk, brute-force attacks: try every email address in the school district in the hope that you’ll get at least one person to bite.
With whaling, the target is carefully chosen, and the attack is completely customized. This is why anti-spam engines have a difficult time blocking whaling messages. The message isn’t part of a bulk attack, and the email security gateway has never seen the sender or the website before. Because of this, there are almost no clues for the threat-prevention program that something is amiss.
Because anti-spam products can’t catch true whaling attacks, districts need other layers of protection in place to counter this threat.
Why Are K–12 IT Leaders Targets for Cybercriminals?
IT managers in K–12 districts have two big risks that make them susceptible to whaling attacks: easy access to targets and a greater vulnerability throughout the education environment. These environments are especially at risk thanks to the open nature of most school districts. The names and email addresses of top staff, board members, principals and other leaders are easy for an attacker to find.
These whaling threats have multiplied over the past year with increased at-home schooling and remote work. K–12 districts are usually less technically sophisticated and generally have constrained budgets for information security. They also typically have large, horizontal management structures and a more trusting environment. These factors all increase the risk that someone in the district community will fall victim to an attack.
In the past, K–12 IT managers balanced the large targets on their back with the knowledge that the relatively smaller budgets of most school districts made them less attractive to cybercriminals looking to profit from a phishing or whaling expedition. Cybercriminals have found new reasons to keep the pressure on K–12 targets, despite school budgets staying relatively the same.
These bad actors have found that encrypting data and shutting down day-to-day operations, or stealing a school district’s private data and threatening to release it, can extort a substantial ransom payment from even a budget-stressed school. School districts protect a great deal of private student and staff information, which criminals are using to leverage their attacks.
How Can Schools Protect Against Whaling Attacks?
If there is no perfect program to block whaling attacks, then the best defense is to make the attacks themselves ineffective. A school leader may click an inappropriate link, but if their credentials can’t be stolen by the whaling site, then the attack won’t succeed the way the cybercriminals hope. While IT managers have a good handle on protecting workstations with endpoint security products, they may need tips to solve the stolen credential problem.
IT managers can make credential theft a nonissue by implementing two-factor authentication. If a username and password aren’t enough to compromise a district leader’s account or exploit their privileges, then the phishing or whaling attack is mitigated. Two-factor authentication — also called multifactor authentication — is the best way to prevent phishing and whaling attacks from turning into data breaches.