Nonprofit organizations are quickly becoming a hot target for spear-phishing attacks. As we all know, spear-phishing requires targeting a specific person within the organization to breach its security systems. But the scammers behind these attacks know that tricking different people can yield different results. Naturally, the most lucrative targets for attacks are executives, or the “big fish” of an organization. When a spear-phishing attack specifically goes to someone like a VP or CEO, it is known as “whaling”.
Whaling attacks are designed to trick executives into doing something like sending a wire transfer or clicking on a malicious link. Oftentimes, criminals will gather and use personal information about their target to personalize the email better and increase their probability of success. As a result, whaling attacks can be very convincing and difficult for both the target and email defenses to catch.
It’s important to note that whaling and CEO fraud are not the same, even though they are sometimes used interchangeably. Whaling attacks target high ranking executives - they don’t necessarily impersonate them. CEO fraud (or CxO fraud) is a type of spear-phishing attack where attackers impersonate someone in a leadership position.
So why are whaling attacks successful? Attackers don’t need much capital, special equipment, or a particularly advanced skillset. They often just need to invest time into researching a target, which is easy to do with the proliferation of public profiles on platforms like LinkedIn.
This time of year, nonprofit leaders are incredibly busy and under a tremendous amount of pressure from end-of-year giving. But because of their position, they may not always be able to focus on just one part of the organization like fundraising. However, they still have access to the sensitive information that the donor database stores. Working at a fast pace, on-the-go, or outside work hours can lead to leaders making critical mistakes on email, or being duped into thinking a whaling email is legitimate.
The motivation behind whaling attacks is commonly financial. But going after an organization’s finances can have wide-reaching consequences, affecting intangible factors like company morale and reputation with donors. Although it is harder to quantify on a balance sheet, a whaling-induced data breach can put hard-earned donor trust at serious risk. With organizations now holding more data on donors than ever before, these attacks can cause immense harm to nonprofits and the communities they serve. What’s more, data breaches are expensive to manage - the average cost of a breach is $3.86 million.
Because of the immense risks and consequences of a data breach, it’s clear that traditional methods -- spam filters, antivirus software, and otherwise -- aren’t able to keep pace with attacks that are becoming more and more complex by the day. Nonprofits need a comprehensive tool that can proactively alert fundraisers to potential data breaches and provide steps to remediate data risks.
By understanding human behaviors unique to the nonprofit space, Gravyty Guard uses advanced technologies to train models, deploy proactive alerts, and provide detailed, flexible reporting to protect employees and leaders from being the source -- maliciously or accidentally -- of the next donor data security breach.