A whaling attack is a technique used by cybercriminals to masquerade as a senior player in an organization and directly target seniors or other important individuals in an organization to steal money or sensitive information or gain access to their computer systems for criminal purposes. Also known as CEO fraud, whaling is similar to phishing in that it uses techniques such as email and website spoofing to trick a target into taking specific actions, such as divulging sensitive data or transferring money. While phishing scams target non-specific individuals and phishing scams target specific people, whaling doubles down on the latter by not only targeting these key people, but also making it so that the fraudulent messages they send appear to have come from someone specific Think of them as the “big fish” or “whales” in the company, like the CEO or CFO. This adds an additional element of social engineering to the mix, with employees reluctant to turn down a request from someone they consider important.
The threat is very real and constantly growing. In 2016, Snapchat’s payroll department received a whaling email, apparently from the CEO, asking for employee salary information. Last year, toy giant Mattel was the victim of a whaling attack after a top finance executive received an email asking for money from a fraudster posing as the new CEO. As a result, the company almost lost 3 million dollars.
Before we delve into what “whaling” is or how “whaling attacks” work, we should probably answer a question that is often asked: What is phishing in cyber security? In a nutshell, phishing is when criminals falsely impersonate trusted parties in order to gain a victim’s trust and steal their money or confidential information. Contrary to popular belief, phishing attacks are not limited to email. For example, phishing attacks using text messages are called “smishing,” and phishing attacks using voice communications are called “vishing.” Phishing emails usually target many Internet users and are easier to detect because the attackers are counting on a mass audience. In fact, they send billions of phishing emails every day. However, phishing attacks can be more targeted.
Phishing is a sophisticated type of phishing attack in which attackers either directly target high-ranking players in an organization or impersonate them in order to mislead others. A common example is targeting or impersonating a company’s CEO in order to deceive other important components of the organization, such as CFOs, payroll departments, security, or spokespeople. Cybercriminals can use sophisticated social engineering strategies to successfully conduct phishing attacks because they know that today’s business leaders use different anti-phishing strategies and tools. Unfortunately, catching criminals can be difficult because they often mask their location and hide their digital footprints.
By clicking on the button, you can familiarize yourself with other types of phishing attacks 👇
The terms phishing, spearfishing and whaling are similar to fishing. While fishermen throw a baited line into the water hoping to catch one of the many fish in the sea, a hacker sends phishing emails to many people hoping to catch at least one victim. Similarly, just as some fishing experts use spears to hunt a single fish, threat actors use spear phishing for specific purposes.
As for whales, these mammals are the largest fish in the sea and a valuable target for some fishermen. Similarly, whaling attacks in cyber security also target profitable targets such as company executives.
With high-level targets wary of phishing attacks, hackers use various strategies to make their whaling campaign successful. For example, they can put together an executive’s LinkedIn page to give their campaign a personalized touch. In fact, the security breach is why you probably shouldn’t be using LinkedIn at all. A whaling attacker can also explore industry jargon to appear legitimate and tap into a target’s emotions while offering a lucrative business opportunity. After completing the intelligence gathering phase, they can use the following whale phishing attack vectors:
Emails: As mentioned above, emails designed to manipulate their targets are a common attack vector and use malicious attachments, links or websites.
Phone: The UK’s National Cyber Security Center noted that email and phone calls can be used by attackers in a 1-2-strike strategy where a phone call follows an email to enhance phishing.
Befriending: Fraudsters can befriend a target on social media by pretending to be a potential business partner, love interest, industry colleague, or authority figure such as a tax official.
Decoy: An attacker can trick a target into using an authentic, infected USB drive by leaving it in their office, gym locker, or mailing it to their home.
Money: Attackers can use a phishing attack to trick victims into sending them money via bank transfer or extort money from an organization after a data breach.
Control: A hacker can use stolen credentials to move horizontally across an organization’s network or open backdoors.
Supply chain attack: A supply chain attack is when hackers attack organizations by disrupting vulnerable elements in their supply chain. In whale phishing, a cybercriminal could theoretically attack a government by hacking its supplier for a man-in-the-middle attack.
Corporate espionage: In a successful whaling attack, a hacker can steal intellectual property or other trade secrets to help a competitor, sometimes in another country.
Malware: A cybercriminal gang can trick victims of whaling attacks into installing dangerous malware, such as ransomware, keyloggers, or rootkits.
Personal vendetta: A victim of a whaling attack can suffer a catastrophic loss of reputation.
Protecting against whaling attacks starts with training key people in your organization to be regularly aware of the possibility of being targeted. Encourage key employees to maintain a healthy level of suspicion when it comes to unsolicited contact, especially when it involves sensitive information or financial transactions. They should always ask themselves, are they expecting an email, attachment or link? Is the request unusual in any way?
They should also be trained to look for telltale signs of an attack, such as spoofed (spoofed) email addresses and names. Simply hovering over a name in an e-mail will reveal its full address. After careful study, you can determine whether it perfectly matches the name and format of the company. Your IT department should also conduct whaling exercises to see how your key employees react.
Managers should also learn to exercise extra caution when posting and sharing information online on social networking sites such as Facebook, Twitter, and LinkedIn. Details such as birthdays, hobbies, holidays, job titles, promotions and relationships can be used by cybercriminals to create more sophisticated attacks.
One great way to reduce the threat posed by spoofed emails is to require your IT department to automatically flag emails for verification that come from outside your network. Whaling often relies on cybercriminals tricking key employees into believing that messages come from within your organization, such as a request from a finance manager to send money to an account. The external email flag makes it easier to spot fake emails that look legitimate at first glance, even to the untrained eye.
It is also recommended that you deploy specialized anti-phishing software that provides services such as URL browsing and link checking. It’s also wise to consider adding another layer of verification when it comes to posting sensitive information or large amounts of funds. For example, a face-to-face meeting or a phone call may be a better practice for critical or sensitive tasks rather than simply conducting a transaction electronically.
Also, when it comes to internet fraud, two heads are better than one. Consider changing your organization’s procedures so that two people, rather than one, sign off on payments. Not only does this give one person a second point of view to dismiss any doubts, but it removes the fear that they might be singled out for punishment by this elderly person if they get irritated by any rejection, because fear is a key social engineering tactic. which these criminals rely on.