Big game hunting is the practice of aiming cybercrime attacks specifically at wealthy individuals and organizations (usually businesses). Some specific phishing attacks for big game hunting are called whale phishing and spear phishing.
What is the purpose of big game hunting?
Big Game Hunting has the goal of stealing significant sums of money, sensitive data, or intellectual property from individuals who have access to them. These attacks are meticulously planned, highly personalized, and often involve social engineering techniques or impersonation to deceive their targets.
Types of big game hunting
Whale phishing (or whaling)
- Target: Senior executives, CEOs, CFOs, or other high-profile individuals within an organization.
- Method: Attackers impersonate trusted sources (e.g., a company’s legal team, a board member, or a business partner) to trick the target into authorizing large financial transfers or disclosing sensitive information.
- Example: An email appearing to come from the CEO, urgently requesting a wire transfer to a new vendor account.
Spear phishing
- Target: Specific individuals or departments (e.g., finance, HR) within an organization.
- Method: Highly customized emails or messages that appear legitimate, often using personal details (e.g., names, job titles, recent projects) to increase credibility.
- Example: An email to an HR manager, seemingly from a job applicant, with a malicious attachment labeled “Resume.pdf.”
Business Email Compromise (BEC)
- Target: Employees with access to financial systems or sensitive data.
- Method: Attackers compromise or spoof business email accounts to send fraudulent payment instructions or request confidential information.
- Example: A finance employee receives an email from a “vendor” with updated payment details, redirecting funds to the attacker’s account.
Why big game hunting is effective
- High Reward: Successful attacks can yield millions in fraudulent transfers or ransom payments.
- Low Risk: Attackers often use social engineering rather than technical exploits, making detection harder.
- Exploitation of Trust: By impersonating trusted figures or using insider knowledge, attackers bypass traditional security measures.
Real-world impact
- Financial Losses: The FBI’s Internet Crime Complaint Center (IC3) reported over $2.4 billion in losses from BEC scams in 2021 alone.
- Data Breaches: Sensitive corporate or personal data can be exposed, leading to regulatory fines and reputational damage.
- Operational Disruption: Ransomware attacks (a common big game hunting tactic) can cripple business operations.
How to protect against big game hunting scams
- Employee Training: Regularly educate staff on recognizing phishing attempts and verifying unusual requests.
- Multi-Factor Authentication (MFA): Require MFA for email and financial systems.
- Email Verification: Implement protocols to confirm payment changes or sensitive requests via a secondary channel (e.g., phone call).
- Advanced Threat Detection: Use AI-driven security tools to detect anomalous email patterns or behaviors.
