What is whaling?
In cybersecurity, whaling, also known as CEO fraud, whaling phishing, whale phishing, or a whaling phishing attack, is similar in technique to phishing - the method involves email and website spoofing and relies on social engineering to trick the victim into carrying out specific actions e.g. revealing sensitive data or transferring funds.
A whaling attack occurs against a high-end executive or senior employee, with the intention of stealing money or information or gaining access to the person’s computer in order to execute further cyberattacks.
Whale Phishing vs. Spear Phishing
As a general rule, the term ‘phishing’ applies to a type of cyber attack that usually relies on social engineering - the attacker hopes that the victim will open a malicious email, click on an infected link or open an attachment that can then lead them to a malicious website.
When a phishing attack is set up, the attacker may target hundreds or thousands of individuals, without knowing how many of these targets will bite. The aim of these phishing attacks is monetary gain, and to solicit sensitive information.
More specifically, a spear-phishing attack is a communications scam aimed at a specific organization, business or individual within a company - you ‘spearhead’ your attack and zone into your target.
Whaling attacks, or whaling-phishing attacks, differ from spear-phishing attacks in that fraudulent communications appear to have come from someone senior within a company or organization - the ‘big phish’ or ‘whale’, e.g. the CEO or CFO. Phishing emails are designed to look credible in order to trick other staff members. It's worth a cyber criminal's time and effort to target these 'whales', as they will have the highest level of trust and access within their own organizations.
How does a Whaling Phishing Attack work?
In a whaling attack, the attacker will send the ‘whale’ an authoritative-looking email, convincing them to disclose vital information or transfer funds. In some cases, they may direct the victim toward a customized malicious website, specially created as part of this attack.
Why is a Whaling Attack dangerous?
Through a whaling attack, a threat actor will infiltrate an organization by honing in on senior members in an effort to gain access to the most sensitive files, data and information. This information can then be used to carry out further attacks, including financial attacks, business disruption and identity theft. A whaling attack can cripple a company from the top down.
One key aim of whaling attacks is to trick the victim into authorizing high-value wire transfers to the attacker. Sometimes, the attacker will impersonate the ‘whale’ i.e. the CEO or CFO, in order to convince other members of the company to disclose vital information.
Whaling cyber awareness
As whaling attacks are so specific, they are more difficult to detect than standard phishing attacks, which are more widespread. The attacker will use personalized information to make their attack look credible - for example, using names, job titles, and known acquaintances in their email spoofing.
The attacker will usually spend a lot of time constructing their attack in order to make it look as credible as possible - unlike standard phishing attacks that sometimes offer up clues such as poor spelling and grammatical errors, it’s worthwhile for an attacker to spend a lot of time perfecting the details because a whaling attack has the potential to offer a much higher return if the attacker is victorious.
Notable examples of whaling attacks
There have been notorious whaling attacks in recent history that have cost companies greatly:
- In 2020 the hedge fund Levitas Capital was the victim of a whaling attack - the co-founder was sent an illegitimate Zoom link that installed malware on his device. This swift move cost the company $8.7 million.
- Fraudsters committed a whaling attack in 2015 by coercing an Omaha-based company into sending $17.2 million to a bank in China.
- In 2016, Austrian aerospace manufacturer FACC was duped out of $56 million, after a whaling attack directed against the CEO.
- Film company Pathé’s Dutch operation fell victim to a whaling attack in 2018 that saw it lose $21 million.
The FBI has already reported whaling attacks against US government officials in 2022 and has made dire predictions of this trend continuing.
How can you defend against a whaling attack?
Educate individuals within your organization to ensure they are on their guard against:
- Be wary of unsolicited contact, especially if it is regarding sensitive data - important information or financial transactions should always be double-checked
- Be on the lookout for fake email addresses - employees should double-check unknown or suspicious addresses that could be luring them to divulge sensitive information and be eagle-eyed when it comes to email addresses that may have tiny but significant alterations.
- Tighten up your organization’s network security to avoid lower-level employees inadvertently passing information through a security lapse.
- Take care if an email is requesting money
Executives need to take care of their digital footprint:
- Do not underestimate even the most innocent of social media posts - threat actors can use clues such as locations they’re been in and activities that they’ve been involved in.
- Leaving these tidbits of information about their lives online makes it easier for a cyber criminal to impersonate them, and gain the trust of others in their inner circle.
- LinkedIn, Facebook, Instagram and Twitter are all useful sources of information for someone who wishes to spy on a whale’s personal or professional life.
- Whales should request that family members not tag them publicly on these social media platforms, as these innocent posts can actually offer an attacker extremely useful information and insights that can be used against them.
- It’s also wise to encourage all employees, whether higher- or lower-level, to check the privacy settings on their personal social media accounts, and restrict who can view their information and whereabouts
Make the flagging of outside emails a company policy:
- All emails and attachments that arrive from external sources should be checked for malicious links or attachments.
- Getting into the habit of flagging outside emails should make it easier to spot fake emails that look legitimate on the surface, even for those with an untrained eye.
- Company policy should establish the use of several steps of verification before any wires or funds are transferred, so that even if an employee is fooled into the social engineering act, they may be physically protected before any harm is done
Use anti-phishing software that provides specific detection services:
- URL screening and filtering: Companies can use this software to block sites that they know may be harmful or dangerous - if an employee attempts to load a suspicious webpage, they will be redirected
- DNS filtering: Similarly, companies can use DNS filtering to block entire domains that could be dangerous, rather than specific URLs
- Link validation: You’ll be alerted if a link has been modified, tampered with, or seems suspicious