A whaling attack is a method used by cybercriminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization, with the aim of stealing money or sensitive information or gaining access to their computer systems for criminal purposes. Also known as CEO fraud, whaling is similar to phishing in that it uses methods such as email and website spoofing to trick a target into performing specific actions, such as revealing sensitive data or transferring money.
Whereas phishing scams target non-specific individuals and spear-phishing targets particular individuals, whaling doubles down on the latter by not only targeting those key individuals, but doing so in a way that the fraudulent communications they are sent appear to have come from someone specifically senior or influential at their organization. Think of them as "big phish" or "whales" at the company, such as the CEO or finance manager. This adds an extra element of social engineering into the mix, with staff reluctant to refuse a request from someone they deem to be important.
The threat is very real and growing all the time. In 2016, the payroll department at Snapchat received a whaling email seemingly sent from the CEO asking for employee payroll information. Last year, toy giant Mattel fell victim to a whaling attack after a top finance executive received an email requesting a money transfer from a fraudster impersonating the new CEO. The company almost lost $3 million as a result.
As mentioned earlier, whaling differs from spear-phishing in that fraudulent communications appear to have come from someone senior. These attacks can be made all the more believable when cybercriminals use significant research that utilizes openly available resources such as social media to craft a bespoke approach that's tailored for those target individuals.
This could include an email that seems to be from a senior manager and could include a reference to something that an attacker may have gleaned online, for example, when they’ve seen said person on some social media images of the office Christmas party: ‘Hi John, it’s Steve again – you were pretty drunk last Thursday! Hope you managed to get that beer stain out of your red shirt!’
In addition, the sender's email address typically looks like it's from a believable source and may even contain corporate logos or links to a fraudulent website that has also been designed to look legitimate. Because a whale's level of trust and access within their organization tends to be high, it's worth the time and effort for the cybercriminal to put extra effort into making the endeavor seem believable.
Defending against whaling attacks starts with educating key individuals within your organization to ensure they are routinely on guard about the possibility of being targeted. Encourage key staff members to maintain a healthy level of suspicion when it comes to unsolicited contact, especially when it pertains to important information or financial transactions. They should always ask themselves if they were expecting the email, attachment or link? Is the request unusual in any way?
They should also be trained to look out for the telltale signs of an attack, such as spoofed (fake) email addresses and names. Simply hovering a cursor over a name in an email reveals its full address. By looking carefully, it's possible to spot if it perfectly matches the company name and format. Your IT department should also carry out mock whaling exercises to test how your key staff react.
Executives should also learn to take special care when posting and sharing information online on social media sites like Facebook, Twitter and LinkedIn. Details such as birthdays, hobbies, holidays, job titles, promotions and relationships can all be used by cybercriminals to craft more sophisticated attacks.
One excellent method of reducing the danger posed by spoof emails is to require your IT department to automatically flag emails for review that come in from outside your network. Whaling often relies on cybercriminals deceiving key personnel into believing messages are from inside your organization, such as a finance manager's request to send money to an account. Flagging outside emails makes it easier to spot fake emails that look legitimate on the surface, even for those with an untrained eye.
Deploying specialist anti-phishing software that provides services such as URL screening and link validation is also advisable. It's also wise to consider adding another level of validation when it comes to the release of sensitive information or a large amount of funds. For example, a face-to-face meeting or a phone call may be the best practice when handling critical or sensitive tasks, rather than simply carrying out the transaction electronically.
Also, when it comes to Internet scams two heads are better than one. Consider changing the procedures at your organization so that two, rather than one person has to sign off payments. Not only does this give one person a second point of view to bounce any doubts off, it also removes the fear that they may be singled out for punishment by that senior person should they be annoyed at any refusal – because fear is a key social engineering tactic which these attackers rely on.