Just Phishy: Whaling

Whaling refers to a specific type of spear-phishing scam, where the thief poses as a 鈥渂ig fish鈥, such as your coworker, boss or someone higher up in a company, such as a president, board member, etc.  Organization charts are readily available online so a clever whaler can find out to whom you might report and craft a believable scam message to get you to open a file or purchase gift cards for them.

The scams can be completely convincing, including using company letterhead, official signatures and logos.  In fact, your only indication that the message might not be from the big fish it purports to be is the e-mail address may be unfamiliar or not associated with the institution.

There are a few things to consider when confronting any message containing an attachment or request from someone in the organization:

  • Is the e-mail address correct?  Is it from a valid @pomona.edu address?
  • Does the message want you to open an attachment?  Were you expecting this attachment from this person?  If not, contact the person in another manner (phone, in person) and ask if they actually sent you the attachment
  • Does the message contain links that the whaler wants you to click?  Contact the sender and verify that the link is valid, or if it supposedly points to a known resource, get to the resource using a bookmark. You can rest your mouse over a link to see where it goes.  If the address looks fishy in any way, do not click on it.
  • Is the person asking you to do an out-of-character favor, such as asking for money for a charity or requesting that you purchase gift cards?  Gift cards are increasingly becoming the currency of scammers. Double-verify any requests for gift card purchases using a phone or in-person visit.  Also be aware of charity scams asking for gift cards.  In fact, if gift cards are in the conversation at all, you should suspect a scam.

色中色 is a small, tight-knit community.  A little communication can help thwart whalers and keep our data safe.  The old mantra, 鈥渋t never hurts to ask,鈥 applies here.

Do not hesitate to contact the ITS Service Desk by phone at (909) 621-8061 or via e-mail if you have any questions or concerns about security.