A whaling attack, also known as whaling phishing or a whaling phishing attack, is a specific type of phishing attack that targets high-profile employees, such as the chief executive officer or chief financial officer, in order to steal sensitive information from a company. In many whaling phishing attacks, the attacker's goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.
The term whaling stems from the size of the attacks, and the whales are thought to be picked based on their authority within the company.
How whaling attacks work
The goal of a whaling attack is to trick an individual into disclosing personal or corporate information through social engineering, email spoofing and content spoofing efforts. For example, the attackers may send the victim an email that appears to be from a trusted source; some whaling campaigns include a customized malicious website that has been created especially for the attack.
In addition, the sender's email address typically looks like it's from a believable source and may even contain corporate logos or links to a fraudulent website that has also been designed to look legitimate. Because a whale's level of trust and access within their organization tends to be high, it's worth the time and effort for the cybercriminal to put extra effort into making the endeavor seem believable.
Whaling attacks often depend on social engineering techniques, as attackers will send hyperlinks or attachments to infect their victims with malware or to solicit sensitive information. By targeting high-value victims, especially chief executive officers (CEOs) and other corporate officers, attackers may also induce them to approve fraudulent wire transfers using business email compromise (BEC) techniques. In some cases, the attacker impersonates the CEO or other corporate officers to convince employees to carry out financial transfers.
5 ways to protect against whaling phishing
Defending against whaling attacks involves a mix of employee security awareness, data detection policy and infrastructure. Some best practices for preventing whaling include the following:
- Employee awareness. Preventing any type of cybersecurity threat requires every employee to take responsibility for protecting the company's assets. In the case of whaling phishing, all employees -- not just high-level executives -- must be trained about these attacks and how to identify them. Although high-level executives are the targets, lower-level employees could indirectly expose an executive to an attack through a security lapse.
- Multistep verification. All requests for wire transfers and access to confidential or sensitive data should pass through several levels of verification before being permitted. Check all emails and attachments from outside of the organization for malware, viruses and other issues to identify potentially malicious traffic.
- Data protection policies. Introduce data security policies to ensure emails and files are monitored for suspicious network activity. These policies should provide a layered defense against whale phishing and phishing in general to decrease the chances of a breach occurring at the last line of defense. One such policy might involve monitoring emails for indicators of phishing attacks and automatically blocking those emails from reaching potential victims.
Indicators of a potential phishing email include the following:
o The display or domain name differs slightly from the trusted address.
o The email body contains requests for money or information.
o The domain age does not match the domain age of the trusted correspondent.
- Social media education. As an extension of employee awareness, make high-level executives aware of social media's potential role in enabling a whaling breach. Social media contains a wealth of information that cybercriminals can use to craft social engineering attacks like whale phishing. Executives can limit access to this information by setting privacy restrictions on their personal social media accounts. CEOs are often visible on social media in ways that telegraph behavioral data that criminals can mimic and exploit.
- Anti-phishing tools and organizations. Many vendors offer anti-phishing software and managed security services to help prevent whaling and other phishing attacks. Social engineering tactics remain prevalent, however, because they focus on exploiting human error, which exists with or without cybersecurity technology.
Examples of whaling attacks
One notable whaling attack occurred in 2016 when a high-ranking employee at Snapchat received an email from an attacker pretending to be the CEO. The employee was tricked into giving the attacker employee payroll information; ultimately, the Federal Bureau of Investigation (FBI) looked into the attack.
Another whaling attack from 2016 involved a Seagate employee who unknowingly emailed the income tax data of several current and former company employees to an unauthorized third party. After reporting the phishing scam to the Internal Revenue Service (IRS) and the FBI, it was announced that thousands of people's personal data was exposed in that attack.
A third notable example of whaling occurred in 2018 when the European cinema company Pathé was attacked and lost $21.5 million in the wake of the attack. The attackers, posing as high-ranking employees, emailed the CEO and chief financial officer (CFO) with a fraudulent request for a highly confidential financial transaction. Despite red flags, the CEO and CFO transferred roughly $800,000 to the attackers, which was only the beginning of the company's losses from the incident.
HP has predicted that 2021 will likely see an increase in whaling attacks, along with other cybersecurity threats, such as ransomware, phishing emails and thread hijacking. The massive shift to remote work in response to the COVID-19 pandemic is, in part, responsible for exposing organizations to new vulnerabilities, HP said.
Thank you very much for your time.
Top comments (0)