Everything there is to know about whaling attacks, including what they are and how your organization can protect itself against one.
Threat actors today will do almost anything to get hold of an organization’s sensitive information. Like most criminals, however, cybercriminals usually target the victim that requires the least effort for the most reward.
Take phishing attacks as an example. There are many types of phishing attacks, but most occur via email. Typically the attack involves a cybercriminal impersonating a legitimate identity or organization, and then sending email en masse to as many email addresses as the attacker can find.
This type of cybersecurity threat has an extremely low barrier to entry: sending email even to millions of recipients is relatively cheap, and even if only one person falls for the scam, that can justify the hacker’s initial investment.
That said, phishing scams are also becoming more sophisticated. In some cases the attacks are now meticulously designed with one specific target in mind, to score a potentially huge payoff.
This is known as a whaling attack, and it’s quickly gaining popularity in the cyber crime community due to its potential for a much larger reward.
In this article we’ll take a closer look at whaling attacks: what they are, why they’re dangerous, and how your organization can protect itself against them.
What is a Whaling Attack?
Whaling attacks, also called whaling phishing or whaling phishing attacks, are a specific type of phishing attack that targets high-profile individuals – the “big fish” of your company. Think senior executives, your c-suite, board members, or even celebrities who might have access to more sensitive data than lower-level employees.
The ultimate goal of a whaling attack is to manipulate the target into providing some form of sensitive information to the attacker. Usually this is accomplished through email spoofing, content spoofing, or a combination of the two. Social engineering techniques are designed to trick the recipient into opening a malicious hyperlink or an attachment that either infects the victim’s system with malware or solicits sensitive information.
Whaling attacks are often perpetrated by an attacker impersonating one of your organization’s clients, asking for payment; or one of your organization’s C-level corporate officers (or anyone with the power to ask employees to make payments). This type of attack is called CEO fraud, but it’s only considered a whaling attack if it’s directed at another high-ranking employee. Otherwise CEO fraud is typically associated with spear-phishing attacks, which we discuss in more detail in the following section.
Perhaps the most dramatic example from recent years is the attack on Austrian aerospace parts maker FACC, where the attacker used a scam email to pose as the CEO of the company and request a money transfer of €50 million to fund a fake acquisition project. (The company fell for it, and the CEO was fired.) This specific type of whaling attack is known as a “fake president incident,” and it can have potentially catastrophic consequences for its victims.
Executing a successful whaling attack takes time. Whaling attacks work because they’re highly customized and personalized, a tactic that requires threat actors to collect personal data about their victims before they launch an attack. To do so, cybercriminals might monitor victims’ social media, LinkedIn, or other public-facing profiles to collect details about their lives to make the attack seem more legitimate.
Because whaling attacks target high-value victims, they often yield high-value results. Corporate officers and senior executives have privileges (such access to corporate bank accounts) that lower-level employees do not, making the potential payout for a successful attack much more lucrative.
As whaling attacks become more common and more costly for the organizations, it’s more important than ever for your organization to prioritize prevention. As the examples above illustrate, a whaling attack can come with serious financial consequences. Then add consequences for corporate reputation, regulatory compliance, and legal ramifications, and the cost of a whaling attack can quickly add up to huge sums.
Why are Whaling Attacks More Dangerous than Phishing Attacks?
Social engineering attacks of any kind are dangerous to organizations, because humans are often the weakest link in the chain of defense. Social engineering tactics exploit this weakness in several ways.
Research from Verizon’s 2021 Data Breach Investigations Report confirms that social engineering attacks such as phishing are the most prevalent and dangerous types of cyberattacks because they are so deceptive. According to Verizon’s findings, 85 percent of data breaches involved the human element in 2021.
Of those social engineering attacks, phishing attacks were responsible for more than 80 percent of reported security incidents. According to CISCO’s 2021 Cybersecurity Threat Trends Report, 90 percent of data breaches occurred due to phishing.
Spear phishing, or a targeted attack on a specific individual as opposed to a large number of random recipients, was the most common type of phishing attack in 2021, according to Tessian Research. Unlike most phishing attacks, however, whaling phishing attacks have the potential for much more serious consequences.
Like email phishing attacks, whaling attacks are often executed via email, and often use high-pressure situations to motivate their victims. Like spear phishing attacks, whaling attacks also involve a degree of research about the victims prior to the attack. In a whaling attack, however, the ultimate goal usually involves convincing a single ranking target to authorize a high-value wire transfer to the attacker under false pretenses.
A whaling attack has the potential to be much more dangerous to your organization than a standard phishing email attack or a spear phishing attack, mostly because this type of attack cuts out the middle-man. In a phishing attack, the attacker may glean information from the target that allows the attacker to access sensitive information for profit (whether the attacker sells that information on the dark web or holds it ransom). In a spear phishing attack, the attacker may obtain unauthorized access to sensitive company data or attempt to escalate privileges again, with the intention of making a profit.
In a whaling attack, the target is often high enough in the chain of command that he or she can make direct wire transfers without much authorization. For example, if an attacker successfully dupes a CEO or a CFO, the attacker now has no extra steps between him and his goal: money.
So how do you protect your organization against this type of attack? Let’s look at some steps you can take to safeguard your business from whaling attacks.
How do I Safeguard my Business from Whaling Attacks?
It’s important to begin by first understanding some of the basic best practices for cybersecurity, including measures to prevent phishing attacks in general. Then your organization will be better prepared to identify and stop a whaling attack before it hurts your business.
Spotting a Phishing Attack
The best way to prevent any type of phishing attack is to identify a spoofed email before anyone clicks a link, downloads an attachment, or takes any other action. If your first instinct is that an email is fake or attempting a scam, follow that instinct.
Start by checking the legitimacy of the email address itself. Is it from an authentic domain? Does the format match other email addresses from the same domain? Is the domain name spelled correctly?
You should also try to verify the claims within the email directly with the source. (For example, call the supposed sender by phone to confirm the message in the email.) Any websites affiliated with the email address or the domain should be secured with a digital certificate. Look for the padlock icon next to the site name in the URL.
Next, examine the email’s content. Most of the time, phishing emails will use threats or a sense of urgency to scare users into doing what they want. At the same time, phishing emails also often contain generic salutations, grammar mistakes, and spelling errors scattered throughout.
Security Awareness Training
Security awareness training is one of the most effective ways to prevent phishing attacks from occurring. For whaling attacks specifically, the employees you need to train are those at the top. If your executives understand the importance of practicing secure email habits, then your lower-level employees are more likely to follow suit.
Fortunately, whaling attacks are far less common than the standard run-of-the-mill phishing attacks. Still your executives should be prepared to identify these types of attacks even if they never experience one.
Transaction Policies
Whaling attacks often ask the target to transfer large amounts of company money or corporate data. In that case, adopt standard policies to slow down those transactions, even when they originate with the CEO or other senior executives. For example, have a written policy for the finance team that no transaction over a certain threshold (say, $10 million; or whatever makes sense for your business) can happen without board-level approval or a 24-hour wait period. Policies that slow down transactions help to identify scam transactions before they reach fruition.
Tools to Help
Fortunately, there are tools available to help individuals and organizations prevent phishing emails from even reaching your inbox. Some of these tools are already built into your email platform and may be effective. Yet even with tools in place to stop phishing emails, it’s likely that some will still get through to your or your employees.
Avoid Whaling and Phishing Attacks with ZenGRC
The easiest way to prevent phishing and whaling attacks is to use one of the many security tools available to your organization.
Good governance, risk management, and compliance (GRC) software is one tool available that can safeguard your business from phishing attacks, as well as other types of cyberattacks that threaten your organization’s security.
ZenGRC from Reciprocity is an innovative platform that allows you to streamline and centralize your company’s risk management program. With automated alerts and workflows that allow you to track risks throughout your entire enterprise with full transparency between departments, Zen takes the guesswork out of risk management.
With ZenGRC, a team of cybersecurity professionals is always looking out for your organization and its assets to make sure you get the best protection against security breaches and cyberattacks.
Learn how ZenGRC can help your organization protect itself from cyberattacks including phishing attacks, and contact us for a free demo today. Worry-free risk management is the Zen way.