Whaling Attacks (Whaling Phishing)

March 4, 2021

What is a Whaling Attack?

A whaling attack is a social engineering attack against a specific executive or senior employee with the purpose of stealing money or information, or gaining access to the person’s computer in order to execute further cyberattacks.

Whaling vs Phishing vs Spear-phishing

All social engineering attacks are based on deception. A target is persuaded to take an action, such as clicking on a bad link. There are two differences between phishing, spear phishing, and whaling: who is targeted and how hard the adversary has to work to launch the attack.

Phishing

A phishing attack targets anyone who clicks on a bad link or downloads a malicious attachment — their seniority, role, etc., are not key to the deception.

Spear-Phishing

A spear phishing attack targets a demographic, such as employees at a certain company or finance analysts in a specific industry.

Whaling

A whaling attack uses business email compromise (BEC) techniques to lure a senior individual, such as a particular C-level executive, to take the desired action.

Learn More

The difference between phishing, spear-phishing and whaling attacks is on the scale of personalization. Phishing is the least personalized, whaling is the most, and spear-phishing lies between.Differences between Spear Phishing, Phishing, and Whaling

How Does a Whaling Attack Work?

Whaling attacks succeed in fooling sophisticated people because they are based on a significant amount of research. For example, a CEO may receive an email that appears to be from his CFO, whom he knows is on vacation. The email may say something like, “About to board plane, urgent need to pay Vendor X or critical shipment will be delayed. Can you send a wire transfer of $2M to the following account number…”

The CEO knows the CFO is traveling. The CEO knows the vendor is legitimate. The writing style matches the CFO’s writing style. The email address looks correct. How did all this happen?

Scammers use multiple techniques, including social engineering, email spoofing, and content spoofing, to craft convincing whaling emails. They research the person they are impersonating, as well as the person they are trying to deceive, by exploring social media and other open sources of data. They may use a phishing attack as a preliminary stage, gaining access to a lower-level employee’s computer in order to leapfrog into HR records and see when key company players are scheduled for time off, or they may eavesdrop on specific email inboxes to learn personal details they can use to create a believable message. They may even engage in physical social engineering, such as by hanging out at a coffee shop known to be popular with a targeted company’s employees.

How to Recognize a Whaling Email

While companies have become much better at requiring security awareness training, C-level personnel are less likely to comply with such a program. That may be because they have gatekeepers who decide for them that they won’t need the training, because the training is inconvenient for them, or because the training designed for the average employee is not relevant to the needs of an executive.

And no matter how rigorous your anti-whaling efforts may be, there is always a chance that one whaling email will slip through your defenses. The only way to protect the enterprise from scams that land in an executive’s inbox is to harden the target by providing executives with security awareness training that is relevant to their positions.

Even if senior employees are already aware of the threat of business email compromise, they need to understand that whaling emails are far more sophisticated than phishing or spear phishing emails, and that even the most cautious person may be fooled. Teach them to look for:

  • Content: The first red flag is the nature of the request. If the request is for a wire transfer or the transfer of sensitive data, it requires a closer look
  • Urgency: If the request is time-blocked and suggests that negative consequences will emerge if the deadline is missed, consider it highly suspicious and subject it to a multi-step verification process, such as examination by the security team
  • Domain: The domain should be an exact match for the corporate domain. Look for domains that substitute two “rn” for “m,” “vv” for “w,” etc.

Whaling Attack Targets

All this effort is worthwhile for scammers because the payoffs can be huge. Whaling victims that have made the news include a grain company that lost $17.2 million and a film company that lost $21 million. An airplane part manufacturer lost $54 million and fired its CEO of 17 years.

Other companies report the exfiltration of large amounts of sensitive data. A hard drive manufacturer sent income tax data for several employees and sensitive data belonging to thousands of others to a scammer. It was sued by its own employees. A social media company sent employee payroll information at the request of a scammer impersonating its CEO. Stolen information may be sold on the dark web or leveraged by nation-state actors for political purposes.

The average whaling attack does not yield such dramatic results, but the amounts sought by attackers is rising. The average wire transfer request increased from $48K to $75K in just the last three months of 2020. The industries most targeted by phishing overall in 2020 were financial institutions, webmail, and SaaS.

How to Avoid a Whaling Attack

Because a whaling attack is launched in the same way a phishing attack is launched, many of the same protections that are already in place will help protect an enterprise. These include:

  • Exposing spoofed addresses by stopping email from outside the network if the domain is suspicious – for example, if an email seemingly from Widget.com is actually from Vvidget.com.
  • Implementing data loss prevention (DLP) software that blocks emails in violation of company rules and flags emails based on the age of the domain vs. the age of the alleged sender’s domain, the inclusion of suspicious phrases like ‘wire transfer,’ or other attributes.
  • Setting up whaling prevention practices, such as by institutionalizing a rule that emailed requests for sensitive information or wire transfers over a certain amount must be verified by phone and a second person must sign off on such transactions.
  • Requiring employees to lock down their social media profiles to friends-only in order to prevent scammers from poring over them for useful details.
  • Deliver specialized security awareness training for executives, who have different vulnerabilities and needs than general users.

Expert Tip

Users can’t prevent phishing attacks, but they can protect themselves and help slow the tide by reporting phishing emails when they recognize them. Do your part to be a good internet citizen. Report phishing to: phishing-report@us-cert.gov