What is Whaling in Cyber Security?

As the name suggests, “whaling” in a cybersecurity context is a type of hyper-specific phishing attack designed to maximize impact by focusing on senior/high-level executives and leadership teams within an organization. Typically, whaling attacks will be emails targeted at C-suite executives or their equivalents. They are characterized by their studied understanding of the organization they are preying on, acquiring such an intimate knowledge base of its operations, decision-makers, and culture that they can shape their tone and language to manipulate unwitting employees to take action on their behalf.

They often contain personal information about their recipient to gain their trust. This approach allows them to leapfrog the need for technical knowledge by using these individuals, their knowledge, and their network within the organization as tools in service of their more significant objective. Much like a fly that comes to rest on a spider web, targets often don’t realize what’s happened until it’s too late. As such, scammers have access to huge potential rewards for relatively little prior investment or effort.

What is a whaling attack?

Whaling attacks rely on manipulating an individual into performing secondary actions against the best interest of their organization. Some of the most common examples include:

Opening a link to a site that delivers malware
Transferring funds or requesting a transfer of funds to the attacker’s bank account
Breaching data protection by providing additional details about the business, individual, or individuals to facilitate further attacks

How do whaling attacks work?

Whaling attacks hinge on the ability to either directly manipulate a high-value individual or masquerade as a high-ranking individual within an organization to influence the behavior of their peers or subordinates. In the case of subordinates, whaling often leverages the reluctance of junior staff to refuse or even challenge a request from their superior.

Peer-to-peer manipulation tends to rely on compartmentalizing organizational duties, i.e., the left-hand needs to learn what the right is or should be doing. Relationships outside the business, such as those with third-party vendors, are a common disguise for these attacks.

How does it differ from phishing in cyber security?

Whaling emails share common goals and tactics with regular phishing and spear-phishing emails. They all employ techniques like email spoofing, fraudulent websites, and public data capture to compromise an organization’s security. These methods facilitate the acquisition of sensitive and valuable information or money from the organization. The difference lies in their target: phishing scams take a blanket approach, hoping to pry information from anyone who will part with it. Whaling, in contrast, uses an ultra-specific system, focusing solely on high-ranking individuals.

Examples of whaling attacks

Seagate

In 2016, an executive of Seagate’s HR department was targeted in a whaling attack that exposed over 10,000 employees’ income tax data, leaving them vulnerable to income tax fraud and identity theft.

Mattel

Mattel suffered a theft of $3 million in 2015 after the attackers posed as the company’s CEO and targeted a C-level executive to action a transfer of funds to a new account.

Ubiquiti Networks

The same year, attackers targeted the CEO of Ubiquiti Networks by impersonating a third-party vendor requesting a transfer of funds, resulting in a loss of $46.7 million.

FACC

In perhaps the most famous whaling incident, Austrian aerospace firm FACC lost approximately $54 million after attackers imitated its CEO to alter company banking details and move funds out of the company.

Is your company vulnerable to a whaling attack?

Although these examples all feature large companies and are high profile, any organization can be vulnerable to whaling attacks. While larger organizations may represent a bigger potential prize to attackers and have a greater capacity to be damaged by them, they also have considerable resources to fund cybersecurity and training programs in their defense. Small and medium-sized companies may need more time, financial resources, or people to protect against threats as insidious as whaling effectively.

What are the characteristics of a typical whaling attack?

Since attackers will utilize the information gathered during their reconnaissance of personnel, they can often be more challenging to identify. Here are some common traits of a whaling attack:

Spoofed emails: Whaling attacks often forge either the personal or domain sections of an email address to look almost identical to a genuine contact, which projects credibility and allows them to exploit the recipient’s trust.

Additionally, many attacks mimic an organization’s templates, language, and tone when emailing an employee. It’s also common for these emails to be sent with an air of urgency, creating psychological pressure on the recipient to acquiesce to the senders’ requests quickly and making them more likely to overlook discrepancies or refrain from asking questions.

Suspicious links: Links, attachments, and landing pages sneak malware into vulnerable devices or networks and can be further concealed by embedding them into the main body of an email or other internal communication text.
High-value targets: Whaling attacks will almost always target high-value individuals in an organization to use their influence to either directly facilitate an attack or to direct others to do so on their behalf.

How to prevent whaling attacks

While whaling attacks are as sophisticated as they are insidious, there are ways of shoring up and strengthening your organization’s defenses to improve the chances of early detection and harm reduction in the case of a breach.

Start with the most vulnerable targets

C-Suite executives, management teams, specialist staff, and individuals with access to financial information are likely targets for whaling attacks. As such, you should invest in training so that these vulnerable targets remain vigilant to the signs of a possible whaling attack and take swift action when one is identified.

Train your high-value employees to check the domain names of questionable senders, confirm high-risk requests via a separate channel, and avoid opening unsolicited attachments.

Create Operational Security (OPSEC) Awareness

OPSEC aims to identify otherwise innocuous activity that could leave individuals or your organization at risk if exploited. A typical example would be your executives displaying personal information such as birthdays or hobbies on a public social media profile that an attacker could utilize while impersonating them. Company waste bins are also a common hunting ground for determined attackers and can provide helpful personal or operational data to be leveraged later. The key is identifying these weaknesses and developing preventative policies or active countermeasures against them.

Install robust email security policies

Since email spoofing is often central to whaling attacks, ensuring you have the correct DKIM, DMARC, DNSSEC, and SPF settings in place can be extremely valuable, as well as providing a means to flag suspicious external communications.

Create two-step verification procedures

In addition to cybersecurity training, it’s also wise to create a culture of verification with universally understood protocols. Each employee, including C-Suite executives, should only be able to request funds or sensitive data not ordinarily suitable for email with prior verification in a separate channel. An internal messaging platform is ideal here since every employee is likely to have access as a matter of course. Document this protocol and ensure that it is well understood across your organization. Great opportunities to do this are employee onboarding sessions and quarterly organization-wide cybersecurity training “top-ups.”

Invest in anti-phishing technology

Anti-phishing technology works to highlight and block phishing communications. It can automatically scan links and attachments in emails and prevent users from accessing them if they appear suspicious. Acquiring such technology can provide another layer of contingency to help protect your employees and your organization.

How can Elev8 protect you from whaling attacks?

Elev8 provides bespoke, interactive digital skilling programs that can bring your teams and executives up to speed on the latest cybersecurity insights, protocols, and best practices. They will learn why it is so important to remain vigilant against whaling attacks, recognize and respond to warning signs, and develop effective systems for prevention and harm reduction.

If you’re looking for an end-to-end skilling solution to empower your organization to prevent whaling attacks and other types of phishing, contact elev8 for a consultation.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
ARRAffinity	session	ARRAffinity cookie is set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user.
ARRAffinitySameSite	session	This cookie is set by Windows Azure cloud, and is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_cfuvid	session	Description is currently not available.
_pk_id.136618.b040	1 year 1 month	Description is currently not available.
_pk_ses.136618.b040	1 hour	Description is currently not available.
_zitok	1 year	Description is currently not available.
.AspNetCore.Antiforgery.9fXoN5jHCXs	session	Description is currently not available.
li_alerts	1 year	Description is currently not available.
VISITOR_PRIVACY_METADATA	6 months	Description is currently not available.