As the name suggests, “whaling” in a cybersecurity context is a type of hyper-specific phishing attack designed to maximize impact by focusing on senior/high-level executives and leadership teams within an organization. Typically, whaling attacks will be emails targeted at C-suite executives or their equivalents. They are characterized by their studied understanding of the organization they are preying on, acquiring such an intimate knowledge base of its operations, decision-makers, and culture that they can shape their tone and language to manipulate unwitting employees to take action on their behalf.
They often contain personal information about their recipient to gain their trust. This approach allows them to leapfrog the need for technical knowledge by using these individuals, their knowledge, and their network within the organization as tools in service of their more significant objective. Much like a fly that comes to rest on a spider web, targets often don’t realize what’s happened until it’s too late. As such, scammers have access to huge potential rewards for relatively little prior investment or effort.
What is a whaling attack?
Whaling attacks rely on manipulating an individual into performing secondary actions against the best interest of their organization. Some of the most common examples include:
- Opening a link to a site that delivers malware
- Transferring funds or requesting a transfer of funds to the attacker’s bank account
- Breaching data protection by providing additional details about the business, individual, or individuals to facilitate further attacks
How do whaling attacks work?
Whaling attacks hinge on the ability to either directly manipulate a high-value individual or masquerade as a high-ranking individual within an organization to influence the behavior of their peers or subordinates. In the case of subordinates, whaling often leverages the reluctance of junior staff to refuse or even challenge a request from their superior.
Peer-to-peer manipulation tends to rely on compartmentalizing organizational duties, i.e., the left-hand needs to learn what the right is or should be doing. Relationships outside the business, such as those with third-party vendors, are a common disguise for these attacks.
How does it differ from phishing in cyber security?
Whaling emails share common goals and tactics with regular phishing and spear-phishing emails. They all employ techniques like email spoofing, fraudulent websites, and public data capture to compromise an organization’s security. These methods facilitate the acquisition of sensitive and valuable information or money from the organization. The difference lies in their target: phishing scams take a blanket approach, hoping to pry information from anyone who will part with it. Whaling, in contrast, uses an ultra-specific system, focusing solely on high-ranking individuals.
Examples of whaling attacks
In 2016, an executive of Seagate’s HR department was targeted in a whaling attack that exposed over 10,000 employees’ income tax data, leaving them vulnerable to income tax fraud and identity theft.
Mattel suffered a theft of $3 million in 2015 after the attackers posed as the company’s CEO and targeted a C-level executive to action a transfer of funds to a new account.
The same year, attackers targeted the CEO of Ubiquiti Networks by impersonating a third-party vendor requesting a transfer of funds, resulting in a loss of $46.7 million.
In perhaps the most famous whaling incident, Austrian aerospace firm FACC lost approximately $54 million after attackers imitated its CEO to alter company banking details and move funds out of the company.
Is your company vulnerable to a whaling attack?
Although these examples all feature large companies and are high profile, any organization can be vulnerable to whaling attacks. While larger organizations may represent a bigger potential prize to attackers and have a greater capacity to be damaged by them, they also have considerable resources to fund cybersecurity and training programs in their defense. Small and medium-sized companies may need more time, financial resources, or people to protect against threats as insidious as whaling effectively.
What are the characteristics of a typical whaling attack?
Since attackers will utilize the information gathered during their reconnaissance of personnel, they can often be more challenging to identify. Here are some common traits of a whaling attack:
- Spoofed emails: Whaling attacks often forge either the personal or domain sections of an email address to look almost identical to a genuine contact, which projects credibility and allows them to exploit the recipient’s trust.
Additionally, many attacks mimic an organization’s templates, language, and tone when emailing an employee. It’s also common for these emails to be sent with an air of urgency, creating psychological pressure on the recipient to acquiesce to the senders’ requests quickly and making them more likely to overlook discrepancies or refrain from asking questions.
- Suspicious links: Links, attachments, and landing pages sneak malware into vulnerable devices or networks and can be further concealed by embedding them into the main body of an email or other internal communication text.
- High-value targets: Whaling attacks will almost always target high-value individuals in an organization to use their influence to either directly facilitate an attack or to direct others to do so on their behalf.
How to prevent whaling attacks
While whaling attacks are as sophisticated as they are insidious, there are ways of shoring up and strengthening your organization’s defenses to improve the chances of early detection and harm reduction in the case of a breach.
Start with the most vulnerable targets
C-Suite executives, management teams, specialist staff, and individuals with access to financial information are likely targets for whaling attacks. As such, you should invest in training so that these vulnerable targets remain vigilant to the signs of a possible whaling attack and take swift action when one is identified.
Train your high-value employees to check the domain names of questionable senders, confirm high-risk requests via a separate channel, and avoid opening unsolicited attachments.
Create Operational Security (OPSEC) Awareness
OPSEC aims to identify otherwise innocuous activity that could leave individuals or your organization at risk if exploited. A typical example would be your executives displaying personal information such as birthdays or hobbies on a public social media profile that an attacker could utilize while impersonating them. Company waste bins are also a common hunting ground for determined attackers and can provide helpful personal or operational data to be leveraged later. The key is identifying these weaknesses and developing preventative policies or active countermeasures against them.
Install robust email security policies
Since email spoofing is often central to whaling attacks, ensuring you have the correct DKIM, DMARC, DNSSEC, and SPF settings in place can be extremely valuable, as well as providing a means to flag suspicious external communications.
Create two-step verification procedures
In addition to cybersecurity training, it’s also wise to create a culture of verification with universally understood protocols. Each employee, including C-Suite executives, should only be able to request funds or sensitive data not ordinarily suitable for email with prior verification in a separate channel. An internal messaging platform is ideal here since every employee is likely to have access as a matter of course. Document this protocol and ensure that it is well understood across your organization. Great opportunities to do this are employee onboarding sessions and quarterly organization-wide cybersecurity training “top-ups.”
Invest in anti-phishing technology
Anti-phishing technology works to highlight and block phishing communications. It can automatically scan links and attachments in emails and prevent users from accessing them if they appear suspicious. Acquiring such technology can provide another layer of contingency to help protect your employees and your organization.
How can Elev8 protect you from whaling attacks?
Elev8 provides bespoke, interactive digital skilling programs that can bring your teams and executives up to speed on the latest cybersecurity insights, protocols, and best practices. They will learn why it is so important to remain vigilant against whaling attacks, recognize and respond to warning signs, and develop effective systems for prevention and harm reduction.
If you’re looking for an end-to-end skilling solution to empower your organization to prevent whaling attacks and other types of phishing, contact elev8 for a consultation.