What Is Whaling?
Whaling is phishing taken to the next level. While phishing messages are usually moderately customized for each user and organization, they are still bulk, brute-force attacks: try every email address in the school district in the hope that you’ll get at least one person to bite.
With whaling, the target is carefully chosen, and the attack is completely customized. This is why anti-spam engines have a difficult time blocking whaling messages. The message isn’t part of a bulk attack, and the email security gateway has never seen the sender or the website before. Because of this, there are almost no clues for the threat-prevention program that something is amiss.
Because anti-spam products can’t catch true whaling attacks, districts need other layers of protection in place to counter this threat.
Why Are K–12 IT Leaders Targets for Cybercriminals?
IT managers in K–12 districts have two big risks that make them susceptible to whaling attacks: easy access to targets and a greater vulnerability throughout the education environment. These environments are especially at risk thanks to the open nature of most school districts. The names and email addresses of top staff, board members, principals and other leaders are easy for an attacker to find.
These whaling threats have multiplied over the past year with increased at-home schooling and remote work. K–12 districts are usually less technically sophisticated and generally have constrained budgets for information security. They also typically have large, horizontal management structures and a more trusting environment. These factors all increase the risk that someone in the district community will fall victim to an attack.
In the past, K–12 IT managers balanced the large targets on their back with the knowledge that the relatively smaller budgets of most school districts made them less attractive to cybercriminals looking to profit from a phishing or whaling expedition. Cybercriminals have found new reasons to keep the pressure on K–12 targets, despite school budgets staying relatively the same.
These bad actors have found that encrypting data and shutting down day-to-day operations, or stealing a school district’s private data and threatening to release it, can extort a substantial ransom payment from even a budget-stressed school. School districts protect a great deal of private student and staff information, which criminals are using to leverage their attacks.
How Can Schools Protect Against Whaling Attacks?
If there is no perfect program to block whaling attacks, then the best defense is to make the attacks themselves ineffective. A school leader may click an inappropriate link, but if their credentials can’t be stolen by the whaling site, then the attack won’t succeed the way the cybercriminals hope. While IT managers have a good handle on protecting workstations with endpoint security products, they may need tips to solve the stolen credential problem.
IT managers can make credential theft a nonissue by implementing two-factor authentication. If a username and password aren’t enough to compromise a district leader’s account or exploit their privileges, then the phishing or whaling attack is mitigated. Two-factor authentication — also called multifactor authentication — is the best way to prevent phishing and whaling attacks from turning into data breaches.
K–12 IT managers who have rejected two-factor authentication in the past due to the high cost of managing hardware or software tokens or the lack of integration with popular applications should take another look. Technologies have changed dramatically in the past few years.
App stores across different operating systems have multiple standards-based two-factor authentication applications available. This would allow K–12 users to leverage the two-factor authentication applications they may already have downloaded for popular personal applications such as Gmail, PayPal, Facebook or Amazon. Enabling two-factor authentication can be very simple: Schools using Microsoft 365 or Google Workspace for Education, for example, can enable it overnight at no additional cost.
IT managers can mitigate the risks of whaling by protecting workstations with endpoint security tools and making sure that stolen credentials won’t be a vulnerability.