What is Whaling?

July 7, 2020 By Patrick Brown

Whaling phishing is a targeted attack directed at high-level company employees, such as a CEO or CFO. Like other phishing attacks, the goal of whaling phishing is to impersonate a trusted person or brand and, by using social engineering tactics, trick the recipient into relaying sensitive information or transferring funds to the attacker.

In this article, we’ll delve deeper into the definition of whaling phishing, typical examples, and how you can prevent falling victim to a whaling phishing attack. But first, if you’re just catching up, check out the other articles in this series:

WHAT IS WHALING PHISHING?

There are different types of phishing attacks and they differ by their specific target:

Phishing: a wide net approach which uses the same communication, such as an email, on a broad group of people

Spear phishing: a more targeted, personalized attack on a single employee, a group of employees, or an organization

Whaling phishing: a targeted, personalized attack on important company personnel

In order to target high-profile individuals, phishing emails (or phone calls, texts, etc.) are carefully crafted using available data and information. The communication will appear legitimate. It may include impersonating a friend, colleague, CEO, or a trusted brand.

A whaling attack is more time consuming for a criminal actor because each attack requires the attacker to identify a specific target and craft a unique message. But the payoff can be incredibly high because of the additional access of high-profile targets. Targets could include IT systems, confidential data, bank account information, or access to transfer funds.

EXAMPLES OF WHALING PHISHING:

Snapchat A Snapchat HR employee received an email that appeared to be from the CEO, Evan Spiegel. The email asked for payroll information about both current and former employees and the employee believed the request to be legitimate. After the incident, Snapchat contacted the affected employees (and former employees) and offered them two years of identity-theft insurance and monitoring.

Seagate Technology In 2016, Seagate Technology fell victim to a whaling phishing attack. Again, like in the Snapchat example, an email request was sent. Appearing to be legitimate, the email asked for 2015 W-2 tax form information for current and former U.S.-based employees. The employee who responded to the email sent the information to the third-party without realizing it was a scam. And while the company offered identity-theft insurance and monitoring, just like Snapchat, to the affected employees, that likely didn’t protect them against tax refund fraud.

Mattel A phishing email targeted a Mattel finance executive in 2016 with what appeared to be a routine invoice request to a new vendor from the new CEO. The executive wired $3 million to the new vendor in China. With a focus on new business in China, the request aligned with current business operations. And with a new CEO, the executive who received the phishing email was eager to please the new boss. The Mattel protocol required two high-ranking managers to approve invoice payments. The attackers knew about this protocol, drafting the email to someone with power while also impersonating the CEO. While authorities and a bank holiday assisted in retrieving Mattel’s $3 million, others aren’t so lucky.

WHAT CAN YOU DO TO PREVENT WHALING PHISHING?

To prevent a whaling phishing attack at your organization, employ these suggestions:

1. Educate senior management. Include both traditional signs of phishing in your education and specific whaling techniques used on high-profile employees. Educate your senior management that they can be specific targets and what typical attacks might look like.

2. Minimize available data. Because whaling attacks (and spear phishing attacks) target specific people using personal information, minimize available public data, such as birthdays, hobbies, etc. from sources like LinkedIn and Facebook.

3. Mark emails from outside the company. Whaling attacks often attempt to impersonate another individual from inside the company (like all three examples listed in this article). Make sure external emails are flagged and staff is trained to understand that phishing emails will come from email addresses that look familiar, but are not the correct company address.

4. Employ a formal verification process. Ensure a process is in place for all sensitive actions like transferring funds or sending private information. This could include verifying with a specified internal third party via a separate communication method and known contact information. For example, verifying money transfer requests received via email could be verified by phone using a valid number in the company directory.

5. Employ an in-depth defense strategy. Make sure you’re employing an in-depth cyber defense strategy that includes requiring MFA (multi-factor authentication), timely software updates, and frequent backups.

To learn more about phishing check out the rest of the phishing series:

  • The Definitive Guide to Phishing
  • What is Spear Phishing?
141 West Pierpont Avenue
Salt Lake City, Utah 84101
© 2020 Measured Insurance, Inc. 
All rights reserved.