A whaling attack is a type of phishing attack that targets high-level executives, such as the CEO or CFO, to steal sensitive information from a company. This could include financial information or employees' personal information.
The reason whaling attacks target high-ranking employees is because they hold power in companies and often have complete access to sensitive data.
The term "whaling" stems from the large size of the potential payoff for the phishing scam, as the "whales" are carefully chosen because of their influence, authority, and access within the company.
In some cases, scammers may pose as the CEO or other corporate officers to manipulate victims into authorizing high-value wire transfers to offshore bank accounts or to go to spoofed websites that install malware.
Why are Whaling Attacks Successful?
Whaling attacks, like spear phishing attacks, are more difficult to detect than typical phishing attacks as they are highly personalized and only sent to select targets in an organization.
While unsophisticated whale phishing relies solely on social engineering to trick targets, the majority of cybercriminals using whaling attacks tend to invest heavily in the attack to make it seem as legitimate as possible, due to potentially high returns.
This could include gathering information from public social media profiles such as Facebook, Twitter and LinkedIn, engaging with the organization via email to understand how the company structures email addresses and email signatures, and gathering general company information like job titles, names of colleagues, third-party vendors and any details exposed in previous data breaches.
Additionally, if the target organization does not have adequate email security, the attacker can employ email spoofing to make their emails appear to come from a trusted source within the organization, making it even harder to detect the attack.
Even if the target organization has adequate email security, attackers can exploit a third-party vendor's lack of cybersecurity and launch the cyber attack via the vendor's domain or buy a similar typosquatted domain name.
How Do Whaling Attacks Work?
The goal of a whaling attack is to trick the victim into disclosing personal information, company information or to install different types of malware, like ransomware, by using social engineering, email spoofing, and content spoofing efforts.
For example, the attacker may send the victim a spoofed email that appears to be from a trusted source, such as a senior executive or another member of senior management. More sophisticated attacks may take control of a colleague's email account or lead to a customized website that was created specifically for the attack.
For example, an attacker may spoof the CTO's email address and send an email to a member of the accounts payable department requesting for a fake AWS bill to be paid by close of business.
Another common target for whaling are company board members because they have a great deal of authority without being full-time employees and may even use a personal email rather than a corporate account.
As whaling attacks depend on social engineering, attackers may send hyperlinks or attachments to infect victims or to solicit sensitive information and generally try to put time pressure on the victim.
Read our guide on social engineering for more information.
What is the Difference Between Phishing, Spear Phishing, and Whaling?
Phishing, spear phishing, and whaling share many similarities, primarily all three involve impersonation to elicit information or money from a target.
That said, they have subtle differences security teams should be aware of.
A typical phishing email takes a quantity over quality approach, sending thousands or even millions of emails to potential victims.
Spear phishing is more selective, targeting specific organizations or employees and requiring more time and effort on the part of the attacker.
Finally, whaling is a specific type of spear phishing that targets high-ranking, high-value targets in a specific organization who has a high level of authority and access to critical company data.
Whaling attacks can take weeks or months to prepare and as a result, can have a very high success rate.
Examples of Whaling Attacks
In 2016, Snapchat fell victim to a whaling attack when a high-ranking employee fell for a CEO fraud email and revealed employee payroll information. Snapchat reported the incident to the FBI and offered their employees two years of free identity theft insurance.
Another well-known whaling attack involved a Seagate executive who accidentally exposed the W-2 forms for all current and former employees. This data breach resulted in the exposure of nearly 10,000 current and former Seagate employees' income tax data, leaving them open to income tax refund fraud and identity theft.
The most dramatic example is the 2016 removal of FACC CEO, Walter Stephan, who fell for a whaling attack that led to the finance department wiring $56 million to fraudsters.
How to Prevent Whaling Attacks
While you can't prevent yourself or your company's executives from being targeted in whaling attacks, there are steps you can take to reduce the likelihood these attacks will be successful.
These are the anti-phishing controls we suggest:
- Invest in security awareness training for senior management: Senior management, key staff, and finance teams should be educated about what whaling attacks are and how to spot them. Train employees to look at the domain name of the sender, confirm requests over a separate channel or in-person, and avoid opening unsolicited attachments. Additionally, conduct mock whaling attacks (as well as other social engineering attacks) to test employees regularly.
- Employ OPSEC practices: Operational security is a process that identifies friendly actions that a potential attacker could group with other data to reveal critical data or sensitive information. This could be as simple as an executive having a public Facebook profile with their personal details like birthday, hobbies, friends, and address exposed or an attacker going through your company's trash cans. Read our guide on OPSEC for more information.
- Have adequate email security in place: As many whaling emails rely on email spoofing, invest in the correct SPF, DKIM, DMARC and DNSSEC settings to prevent email spoofing. Additionally, you may find it helpful to flag external emails. Read our guide on email security for more information.
- Establish a verification process: Ensure that no one employee, not even the CEO, can request funds or information that is not usually transferred via email without verifying their request in another channel, for example, an internal messaging platform. Document this process and train employees on how these requests should be handled.
- Implement data protection software: Invest in software that can automatically detect data leaks and leaked credentials so you can prevent data from falling into the wrong hands. Read our guide on data leaks for more information.
- Monitor all third-party vendors: Remember that these attacks don't necessarily have to come from your domain if your vendors are handling sensitive data on your behalf, they need to have the same controls in place as your organization. This is why vendor risk management is so important. Consider investing in a security ratings provider who can help you instantly identify key risks across your vendor portfolio. Read our guide on how to manage third-party risk for more information.
How UpGuard Helps Prevent Whaling Attacks
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates. We can help you continuously monitor your vendors' external security controls and provide an unbiased security rating.
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.
We base our ratings on the analysis of 70+ vectors including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Vulnerabilities
- Malware susceptibility
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
